A malicious campaign has stolen over $1 million in cryptocurrency by deploying a combination of three attack methods across hundreds of browser extensions, fraudulent websites, and malware, according to cybersecurity firm Koi Security.
On Thursday, Koi Security researcher Tuval Admoni revealed that the group — dubbed “GreedyBear” — has “redefined industrial-scale crypto theft.”
“Most groups choose one approach — they might specialize in malicious browser extensions, ransomware, or phishing sites,” Admoni explained. “GreedyBear decided, ‘why not use all three?’ And the results were devastating.”
While none of GreedyBear’s tactics are entirely new, the report underscores how cybercriminals are increasingly blending multiple sophisticated scams to target cryptocurrency users. This, Admoni noted, signals that such groups have moved beyond “thinking small.”
More Than 150 Fraudulent Crypto Browser Extensions
More than $1 million has been stolen from cryptocurrency users through over 650 malicious tools aimed specifically at crypto wallet owners, according to Admoni.
The group has released more than 150 malicious extensions on the Firefox browser marketplace, each masquerading as popular crypto wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.
Using a tactic known as “Extension Hollowing,” the attackers first upload legitimate extensions to pass the marketplace’s security reviews, then later modify them to carry out malicious activities.
Admoni noted that these extensions harvest wallet credentials directly from user input fields within counterfeit wallet interfaces.
“This approach allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review process, then weaponizing established extensions that already have user trust and positive ratings.”
Deddy Lavid, CEO of cybersecurity firm Cyvers, told Cointelegraph that the GreedyBear campaign “demonstrates how cybercriminals exploit the trust users place in browser extension stores — cloning popular wallet plugins, boosting fake reviews, and then covertly replacing them with credential-stealing malware.”
In early July, Koi Security uncovered 40 malicious Firefox extensions, attributing the so-called “Foxy Wallet” campaign to suspected Russian threat actors.
Crypto-themed malware
The second phase of the group’s operations centers on crypto-focused malware, with Koi Security identifying nearly 500 samples.
Credential-stealing tools like LummaStealer are tailored to harvest crypto wallet data, while ransomware strains such as Luca Stealer are built to extort victims for cryptocurrency payments.
According to Admoni, much of this malware is spread via Russian websites that distribute cracked or pirated software.
A network of scam websites
The third prong of the group’s attack strategy is a network of fraudulent websites masquerading as legitimate crypto products and services.
“These aren’t your standard phishing sites copying login pages — they’re polished, fake product landing pages promoting digital wallets, hardware devices, or wallet recovery services,” Admoni explained.
He added that a single server functions as the central hub for command-and-control, credential harvesting, ransomware coordination, and scam site management, “enabling the attackers to run streamlined operations across multiple fronts.”
The campaign also appears to incorporate AI-generated code, allowing the attackers to rapidly scale and diversify their crypto-targeting operations — marking a new phase in cryptocurrency-focused cybercrime.
“This isn’t a passing trend — it’s the new normal,” Admoni warned.
“These attacks manipulate user expectations and evade static defenses by embedding malicious logic directly into wallet interfaces,” Lavid added. “It highlights the urgent need for stricter browser vendor vetting, greater developer transparency, and increased user vigilance.”
