Cracked bitcoin token. Cryptocurrency crisis concept. 3D rendering

Key Takeaways:

Cybercrime group “GreedyBear” stole over $1 million in crypto using 650+ malicious tools, including 150+ fake browser extensions targeting wallets like MetaMask and TronLink.
Attackers used “Extension Hollowing” to bypass security checks, later injecting credential-stealing code into trusted extensions.
The operation also deployed nearly 500 crypto malware samples and ran scam websites, with evidence of AI-generated code accelerating attacks.

Cybersecurity firm Koi Security has revealed that a cybercrime group called “GreedyBear” has stolen over $1 million in cryptocurrency using a coordinated mix of fake wallet extensions, malware, and scam websites.

Researcher Tuval Admoni described the group as operating on an “industrial scale,” combining multiple attack types into a single large operation.

GreedyBear Steals $1M in Crypto Using 150+ Malicious Firefox Wallet Extensions https://t.co/IcJD7DzDQL
— The Cyber Security Hub™ (@TheCyberSecHub) August 8, 2025

GreedyBear has deployed more than 650 malicious tools, including over 150 fake browser extensions on the Firefox marketplace imitating popular wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.

Using an “Extension Hollowing” tactic, they released legitimate-looking extensions to pass security checks before injecting credential-stealing code.

The group also distributes nearly 500 types of crypto-focused malware, such as LummaStealer and Luca Stealer ransomware, often via Russian websites offering pirated software.

In addition, they run a network of professional-looking fake websites posing as legitimate crypto products, services, and wallet repair tools.

All three attack types are connected through a central server that handles data collection, ransomware control, and scam hosting.

Evidence suggests AI-generated code is being used to accelerate development.

Experts warn that GreedyBear’s tactics exploit user trust in extension stores and highlight the need for stronger vetting, developer transparency, and user vigilance against increasingly sophisticated crypto-targeted threats.