A major cyber campaign targeting cryptocurrency users has been uncovered, revealing the scale and sophistication of modern digital threats. Named “GreedyBear,” the operation has deployed more than 150 malicious extensions on the Mozilla Firefox marketplace, imitating popular cryptocurrency wallets and stealing over one million dollars (₹8.5 crores) in digital assets.
Security experts have identified a method called “Extension Hollow” that enables these extensions to bypass security checks and exploit user trust. The fake add-ons impersonate well-known wallets including MetaMask, TronLink, Exodus, and Rabby Wallet. According to a researcher at a security firm, attackers first release harmless-looking extensions to gain user trust, only activating their malicious features later. This approach allows the fake wallets to remain undetected for extended periods, maximising potential damage.
Once active, the extensions capture sensitive wallet credentials entered by users and transmit them to attacker-controlled servers. They also collect IP addresses, potentially for further targeting. The campaign appears to be an expansion of an earlier operation called “Foxy Wallet,” which involved around 40 similar Firefox extensions.
Beyond the Firefox store, researchers have linked the GreedyBear actors to malicious campaigns spread through Russian websites offering cracked or pirated software. These campaigns distribute information-stealing malware and ransomware. The attackers have also created fraudulent websites disguised as cryptocurrency tools and services, including wallet repair platforms, to trick users into revealing credentials or payment information. Investigators traced these activities to a single threat actor by identifying a shared command-and-control server at IP address 185.208.156[.]66.
Evidence suggests that artificial intelligence tools may have been used in creating these malicious extensions. The campaign has also expanded beyond Firefox, with a Google Chrome extension named Filecoin Wallet found using the same server and similar credential-stealing methods. This cross-platform spread marks a significant evolution of the threat into a large-scale, multi-platform operation backed by a broad infrastructure of malware and scams.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
