A cybercrime group called “GreedyBear” has been accused of stealing over $1 million through what researchers say is one of the most wide-reaching crypto theft operations seen in months.
Reports from Koi Security reveal the group is running a coordinated campaign that mixes malicious browser extensions, malware, and scam websites — all under one network.
Extensions Turned Into Wallet-Stealing Tools
Instead of focusing on just one method, GreedyBear has combined several. According to Koi Security researcher Tuval Admoni, the group has deployed more than 650 malicious tools in its latest push.
This marks a sharp rise from its earlier “Foxy Wallet” operation in July, which involved 40 Firefox extensions.
The group’s tactic, called “Extension Hollowing,” starts with publishing clean-looking Firefox add-ons such as video downloaders or link cleaners.
These extensions, released under fresh publisher accounts, collect fake positive reviews to appear trustworthy. Later, they are swapped for malicious versions impersonating wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.
Once installed, they grab credentials from input fields and send them to GreedyBear’s control servers.
Malware Hidden In Pirated Software
Investigators have also tied nearly 500 malicious Windows files to the same group. Many of these belong to well-known malware families such as LummaStealer, ransomware similar to Luca Stealer, and trojans acting as loaders for other harmful programs.
Distribution frequently occurs through Russian-language websites that host cracked or “repacked” software. Targeting those seeking free software, the attackers reach far beyond the crypto community.
Modular malware was also found by Koi Security, in which operators can add or swap functions without deploying completely new files.
Fake Crypto Services Created To Swipe Data
Based on reports, in addition to the browser attacks and malware, GreedyBear has established fraudulent websites that fake themselves as genuine cryptocurrency solutions.
Some of these are said to offer hardware wallets, and others are fake wallet repair services for devices such as Trezor.
Also on offer are fake wallet apps with good-looking designs that trick users into inputting recovery phrases, private keys, and payment information.
Unlike standard phishing sites that copy exchange login pages, these scam pages look more like product or support portals.
Reports added that some of them remain active and are still collecting sensitive data, while others are on standby for future use.
Investigators found that nearly all domains tied to these operations lead back to a single IP address — 185.208.156.66. This server acts as the campaign’s hub, handling stolen credentials, coordinating ransomware activity, and hosting scam sites.
Featured image from Unsplash, chart from TradingView
