GreedyBear’s $1M Crypto Theft via Fake Wallet Extensions

Over the past five weeks, Russian hacker group GreedyBear executed a large-scale crypto theft campaign, stealing over $1 million in digital assets. The attackers deployed 150 malicious Firefox extensions and nearly 500 malware-laden Windows executables to phish for wallet credentials. Using an “Extension Hollowing” tactic, they swapped legitimate add-ons for fake MetaMask, Exodus, Rabby Wallet and TronLink plugins to harvest private keys. Victims who installed these phishing browser extensions unknowingly surrendered their keys, allowing direct fund transfers. Additional malware — including LummaStealer, ransomware and trojans — was spread through pirated software sites. Almost all malicious domains pointed to a central IP (185.208.156.66), which served as the command-and-control hub for stolen data and payloads. Koi Security’s CTO Idan Dardikman confirmed Firefox extensions were the campaign’s most lucrative attack vector. This crypto theft underscores ongoing phishing risks and the need for traders to vet extension sources, audit installed plugins regularly, and download only from official channels to protect wallet security.