The threat actor group dubbed GreedyBear has orchestrated an industrial-scale operation blending malicious browser extensions, executable malware, and phishing infrastructure to siphon over $1 million in cryptocurrency from victims.
This coordinated assault, uncovered by Koi Security researchers, leverages a staggering 650 hacking tools comprising 150 weaponized Firefox extensions and nearly 500 malicious Windows executables demonstrating a Fortune 500-level sophistication that integrates diverse attack vectors into a unified, efficient theft machine.
Unlike traditional cybercriminals who specialize in narrow tactics like ransomware or isolated phishing, GreedyBear’s approach amalgamates credential stealing, ransomware deployment, and deceptive scam sites, all funneled through a centralized command-and-control (C2) server for streamlined exfiltration and monetization.
Multi-Vector Campaign
The campaign’s core innovation lies in its “Extension Hollowing” technique, a method that circumvents marketplace security protocols by initially uploading benign Firefox extensions such as rudimentary link sanitizers or YouTube downloaders under new publisher accounts.
These innocuous tools accumulate fake positive reviews to build artificial trust, after which attackers hollow them out, injecting malicious code that impersonates legitimate cryptocurrency wallets like MetaMask, TronLink, Exodus, and Rabby.
The altered extensions capture wallet credentials from user input fields in popup interfaces, exfiltrating them alongside victim IP addresses to a remote C2 hub.
This evolution from the group’s prior Foxy Wallet campaign, which exposed 40 extensions, has more than doubled in scale, incorporating AI-generated code artifacts that accelerate payload diversification and evasion of detection mechanisms.
Researchers note that such AI-assisted scaling enables rapid adaptation, marking a shift toward automated, high-volume cyber operations that challenge legacy antivirus and marketplace vetting systems.
Complementing the extension-based attacks, GreedyBear deploys nearly 500 malicious executables across families like LummaStealer for credential theft and Luca Stealer-inspired ransomware for file encryption and crypto ransom demands.
Distributed via Russian sites offering cracked software, these trojans exhibit modular loader capabilities, allowing tactical pivots while reusing backend infrastructure.
Dozens of scam websites further amplify the threat, masquerading as crypto products such as Jupiter-branded hardware wallets or Trezor repair services.
These sites, featuring fabricated UI mockups, lure users into divulging credentials or payment details, potentially enabling secondary fraud like credit card exploitation.
All elements converge on a single IP address (185.208.156.66), serving as a consolidated C2 for data collection, ransomware coordination, and site hosting, which underscores the group’s operational efficiency and hints at expansion beyond Firefox to Chrome and other ecosystems, as evidenced by a linked malicious “Filecoin Wallet” extension.
Evolving Cyber Threat Landscape
This operation signals a paradigm shift in cybercrime, where AI tooling empowers attackers to scale attacks at unprecedented speeds, blending open-source exploitation with enterprise-like infrastructure.
Originating from the Foxy Wallet exposures, GreedyBear’s growth into a multi-platform threat potentially targeting Edge and beyond highlights the vulnerabilities in browser marketplaces and the need for advanced governance tools.
Koi Security’s platform, which automates risk assessment across extensions, repositories, and third-party code, emerges as a critical defense, already trusted by Fortune 50 firms.
As MITRE’s new IDE Extensions category underscores, securing untrusted code is paramount, with GreedyBear exemplifying how attackers exploit these blind spots for massive financial gain.
IOC Table
| Category | Indicators |
|---|---|
| IPs | 185.208.156.66 185.39.206.135 |
| Domains | exodlinkbase.digital, suirokboys.digital, avalancheproject.digital, allextdev.world, alladdsite.digital, metahoper.digital, filecoinwallet.net, suinetwork.world, 888surprising.pythonanywhere.com, ventroxibnk.com, coral-cat-546626.hostingersite.com, extprojectdev.top, teaser.co.com, jub.co.com, jup.co.com.trezor-wallet.io, jupiterwallet.co.com.trezor-wallet.io, secure-wallets.co.com, connects.co.com, tweser.io, snipersol.com, upholdassets.com |
| Firefox Extension IDs (Sample) | exodus-addon, rabby-wallet-extension, backpack-wallet, leap-wallet-addon, ctrl-wallet, braavos-wallet-addon, bitget-crypto-wallet, okx-extension-wallet, slush-crypto-wallet-sui, solflare-crypto |
| Chrome Extension IDs | plbdecidfccdnfalpnbjdilfcmjichdk |
The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free
Source link
