Crypto-stealing GreedyBear just became even greedier

Published: 11 August 2025
brown bear sits on a blue ball, orange fox, russian flag, red background, yellow letters
By Cybernews.

A crypto user-targeting attack group has been found to be using a new way to target victims, employing a new "redefined industrial-scale" strategy.

Researchers at Koi Security said that the GreedyBear attack group is now combining three tactics in its criminal activities: 150 malicious Firefox browser extensions, ransomware, and dozens of scam phishing sites. According to the researchers, user reports indicate that these criminals have managed to steal more than $1 million in crypto assets.

The research has shown that GreedyBear aims to impersonate popular crypto wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet with malicious browser extensions. Moreover, there are signs that the same attack group might be expanding to Chrome extensions as well.

ADVERTISEMENT

Meanwhile, with Firefox, it’s using the Extension Hollowing technique to bypass marketplace security and user trust mechanisms.

"Rather than trying to sneak malicious extensions past initial reviews, it builds legitimate-seeming extension portfolios first, then weaponizes them later when nobody’s watching," Koi Security said.

Koi also found that the campaign originates from the same threat group behind the earlier Foxy Wallet campaign, which exposed 40 malicious extensions, but the scale has now more than doubled.

blue transparent crypto wallet with gold coins falling to it
Flavio Coelho/Getty Images

The researchers have tied almost 500 malicious Windows executables to the same infrastructure, which includes credential stealers, ransomware variants, and various generic trojans.

The research has shown that these executables are distributed via various Russian websites that distribute cracked, pirated, or "repacked" software.

When it comes to crypto phishing sites, they’re found to be not typical phishing pages mimicking login portals, but "they appear as slick, fake product landing pages advertising digital wallets, hardware devices, or wallet repair services."

An example of a phishing site

ADVERTISEMENT
wallet secure screenshot, blue, green chip, screwdriver, white hand, green button
Source: Koi Security

Koi Security warned that some of these domains are fully functional while others might still be waiting for their turn to be used.

Meanwhile, the researchers have also found signs showing that all these tactics are linked to one group, as almost all domains across extensions, EXE payloads, and phishing sites resolve to a single IP address: 185.208.156.66.

"This server acts as a central hub for command-and-control (C2), credential collection, ransomware coordination, and scam websites, allowing the attackers to streamline operations across multiple channels," they added, stressing that attackers arm themselves with increasingly capable AI and defenders must ramp up their efforts as well.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT