GreedyBear hackers steal $1M+ in crypto via malicious Chrome extensions
A new report reveals how a single coordinated operation used ‘Extension Hollowing’ to bypass security checks and drain cryptocurrency wallets across multiple platforms.
Cybersecurity firm Koi Security has uncovered the GreedyBear hack, a sophisticated cybercrime campaign that has stolen more than $1 million in digital assets. The operation relied on 150 weaponized Firefox extensions, nearly 500 malicious executables, and dozens of phishing websites which were all controlled through a single command server.
Source: Koi Security
The group’s signature tactic, dubbed “Extension Hollowing,” allowed them to bypass official marketplace security checks by first building legitimate-looking extension portfolios before injecting malicious code.
“This is one of the most coordinated browser extension attacks we’ve seen in the crypto space to date,” — Martin Cole, Threat Intelligence Lead at Koi Security.
Extension Hollowing: trust before betrayal
At the core of the GreedyBear hack is a social engineering playbook designed to exploit user trust. Attackers created publisher accounts and uploaded five to seven harmless extensions like link cleaners or video downloaders to gain credibility.
Source: Koi Security
They bolstered these with dozens of fake positive reviews, securing high user ratings. Once trust was established, they updated the extensions with malicious code, changed branding to impersonate popular crypto wallets like MetaMask, TronLink, Exodus, and Rabby Wallet, and began harvesting wallet credentials directly from input fields.
Source: Koi Security
The extensions maintained expected wallet functionality, which allowed the theft to go undetected for longer. Victim IP addresses were logged during initialization, and sensitive data was exfiltrated to a single remote server.
“This method is a clear evolution from last year’s Foxy Wallet campaign,” — Elena Morozova, Malware Researcher at CryptoDefend Labs. “The scale and sophistication of the GreedyBear crypto hack point to well-funded actors.”
One server to rule them all
The GreedyBear hack centralized its command infrastructure to a single server controlling browser extensions, malware payloads, and scam websites. All domains resolved to one IP address, creating a unified control point for the multi-pronged campaign.
The malicious ecosystem didn’t stop with Firefox. Koi Security identified Chrome extension variants including a “Filecoin Wallet” version communicating with the same server, suggesting imminent expansion to Edge and other browsers.
Alongside extensions, nearly 500 malicious Windows executables were distributed through Russian websites hosting cracked software. These files deployed multiple malware families, targeting users who sought free alternatives to legitimate applications.
Source: Koi Security
Fraudulent landing pages marketed counterfeit hardware wallets and fake wallet repair services, particularly for Jupiter-branded and Trezor devices. These sites collected wallet credentials, personal details, and payment information.
AI-assisted scaling and the bigger security picture
Researchers also detected AI-generated code artifacts throughout the campaign; an increasingly common tactic in cybercrime. This automation allowed GreedyBear to rapidly diversify malware payloads and evade detection.
The GreedyBear hack joins a growing list of high-profile crypto-focused cyber incidents in 2025, including $1 million in YouTube account hijacking scams, $3.05 million lost to phishing, and the $4.5 million CrediX exploit.
Many experts are calling for a rethink in the crypto security approach. Speaking with Cryptonews, Circuit CEO Harry Donnelly criticized negotiation-based recovery methods:
“Automated threat response should be standard to ensure assets are kept out of harm’s way, rather than hoping to bargain with bad actors.”
He added that “the CrediX recovery is a rare win in a system that too often leaves users with little recourse.”
According to industry tracking, crypto losses in the first half of 2025 have reached $2.2 billion across 344 incidents with the GreedyBear hack representing just one part of a troubling pattern.
What investors should do now
For crypto investors, the GreedyBear hack underscores the need for vigilance when installing browser extensions and using third-party wallet services.
Security experts recommend:
Verify publisher legitimacy before downloading extensions.
Avoid cracked software from unofficial sources.
Regularly audit wallet permissions and installed browser add-ons.
Use hardware wallets from verified vendors only.
While platforms like OKX and Microsoft have issued earlier warnings about browser-based wallet threats, the scale of the GreedyBear crypto hack suggests that traditional detection and review systems are struggling to keep up with AI-accelerated cybercrime.
If there’s one takeaway, it’s that the line between convenience and compromise has never been thinner and the next GreedyBear crypto hack could be only a few clicks away.
