GreedyBear Сrypto Hack Campaign Steals $1M From Firefox Wallet Holders

Koi Security says a scam group dubbed GreedyBear stole over $1 million by pushing 150+ fake wallet extensions to Mozilla’s store, running ~500 malware samples, and luring victims to slick scam sites. The team links much of the operation to a single IP, showing one coordinated campaign.

Drain Scale, Methods, and the Smoking Gun

Koi Security’s report sets the baseline. The campaign mixes three attack types: weaponised Firefox extensions that imitate MetaMask, TronLink, Exodus and Rabby; Windows credential-stealing malware; and polished fake product sites for wallets and “repair” services. Reported losses top $1M.

The extension playbook uses “Extension Hollowing.” Attackers first upload harmless utilities, farm five-star reviews, then swap in malicious code and wallet branding later. That step lets the add-ons pass initial checks and keep their trust score.

Security desks have corroborated the scale. BleepingComputer and The Hacker News each reported 150+ malicious Firefox extensions and the $1M haul, crediting Koi’s research. Their coverage stresses wallet-credential theft via spoofed UIs inside the extensions.

This wave did not appear out of nowhere. In early July, Koi flagged the smaller “FoxyWallet” cluster with 40+ crypto-draining Firefox add-ons; German tech outlet Heise and others covered it then. GreedyBear looks like the scaled-up sequel.

Malware completes the toolkit. Koi ties ~500 Windows executables to the same backend, including LummaStealer-style info stealers and ransomware variants seeded on cracked-software sites. One IP address (185.208.156.66) shows up as a central hub linking extensions, payloads and fake sites. IP intelligence sites list many domains on that block, hinting at broad misuse.

GreedyBear blends old tricks at industrial scale, even showing AI-generated code artefacts that speed up churn, evasion and payload variety. That helps explain how hundreds of tools landed across stores and sites in weeks.

What This Means for Web3 Users

For users, the weak point is browser extensions. You type a seed or password into a friendly pop-up; the extension exfiltrates it in the background. Even a single mistake can empty a wallet. That risk doesn’t care if you trade on DeFi or only move USDC now and then.

For teams, the problem is supply-chain trust. A fake extension with good reviews looks safe to community moderators and support staff. Koi shows how attackers plant benign tools to build a reputation, then flip the switch later. Internal “safe links” lists and help-center articles can turn into trapdoors if no one re-checks them.

For platforms, the challenge is store governance. Mozilla’s initial wave from July (the FoxyWallet case) already showed vetting gaps. Now the GreedyBear scale-up proves adversaries can treat add-on stores like growth channels. Expect tighter review, rapid takedowns, and more retroactive scanning.

Defenders should assume multi-vector pressure. Beyond the add-ons, Koi ties in Windows malware seeded via piracy portals and fake hardware-wallet shops that harvest card data and seeds. One backend, many fronts. That consolidation raises hit rates and lowers costs for the attacker.

The pattern fits a wider fraud arc. ESET and others have tracked trojanised wallet apps and “free seed” scams since 2022–2024. GreedyBear just packages the same goals with new distribution muscle and better automation.

Bottom line: this is not a one-off. Koi’s indicators include domain lists, extension IDs, and hashes. If stores and antivirus vendors act on them, the current infrastructure will burn. But the model – seed theft at scale – will return unless we harden user flows.

Practical Playbook — Stop Extension Drains Before They Start

Never type a seed or password into an extension pop-up. Real wallets push recovery to an offline flow or a native app setup, not a browser box. If a plug-in asks for a seed, treat it as a red flag and bail. (This is exactly how the GreedyBear clones scored.)

Lock down installs. Use one “hot” browser for dApps with extensions locked to a short whitelist; use a separate “clean” browser for everything else. Enterprises should enforce this with MDM and block unreviewed add-ons by default. SlowMist’s user guide pushes the same “least-trust” habit.

Buy hardware wallets from trusted links only. Koi lists bogus “Jupiter/Trezor” sites and “wallet repair” pages. Type vendor URLs yourself; avoid search ads and QR codes. If a site offers repairs that need your seed, it’s a scam.

Check IOCs and purge. If you use Firefox, audit your add-ons against Koi’s extension ID list, then remove anything unknown. Rotate keys for any account that ever touched a suspicious extension. Koi’s report includes domains, IPs (185.208.156.66) and IDs you can block at the network layer.

Treat cracked software as hostile. Many GreedyBear payloads came via “free” Windows downloads. If a trading PC needs a tool, pay for it, verify checksums, and isolate it from wallets. This aligns with prior malware studies on trojanized wallet apps.

Demand more from stores. At minimum: delayed-update holds for high-risk categories; post-publish diff scans to catch hollowing; signed-in warnings when an extension changes name, icon or permissions; and one-click seed-entry blockers. Press coverage has already pushed this up the priority list.

Drain Means Pain

GreedyBear shows how one crew can run extensions, malware, and fake sites from a shared backend and steal seven figures. The novelty isn’t technique; it’s scale. And scale beats ad-hoc user caution every time.

If you hold crypto, assume your browser is an attack surface. Split devices. Whitelist extensions. Keep seeds offline. Verify every download. Then nuke anything that fails a sanity check against Koi’s indicators.

For builders and platforms, the fix is policy and plumbing. Slow down extension updates that flip names and permissions. Auto-flag seed prompts. Share indicators of compromise (IOCs). Do that, and the next “bear” won’t find such easy honey.