Some of the links on this site may be affiliate links. ICOBench may receive advertising commissions when users visit recommended platforms via our affiliate links, at no additional cost to you. All recommendations are based on a comprehensive review process. 
Russia-linked cybercrime group GreedyBear has stolen over $1 million in cryptocurrency within just five weeks, according to cybersecurity researchers. The operation represents a major escalation in the group’s activities, leveraging AI-generated code and a growing arsenal of malicious browser extensions.
150 Malicious Firefox Extensions Masquerading as Crypto Wallets
🐻 GreedyBear has stolen $1M+ in crypto, ramping up cyber theft risks with industrial-scale tactics.
💼 Two Seas Capital opposes Core Scientific’s $9B buyout, citing undervaluation—potentially shifting sector valuations.#Crypto #Cybersecurity #Investing pic.twitter.com/zmNhj5nZAB
— Market Machina (@market_machina) August 8, 2025
GreedyBear has deployed 150 fraudulent Firefox extensions imitating popular crypto wallets such as MetaMask and Exodus. This is a sharp increase from 40 extensions identified between April and July, signaling a shift toward large-scale, coordinated cyberattacks.
The group’s preferred technique, known as extension hollowing, involves first releasing a legitimate wallet extension to build trust and pass security reviews. Once the extension gains users, it is updated with malicious code designed to harvest login credentials whenever victims attempt to sign in.
High-traffic wallets like MetaMask are especially targeted. The criminals also publish common tools—such as link cleaners and YouTube downloaders—to gather positive reviews before transforming them into credential-stealing malware.
AI’s Role in Accelerating the Attack Cycle
Code analysis revealed traces of AI-generated payloads, used both to create attack modules and evade security detection systems.
GreedyBear’s infrastructure is centrally managed through a single command server, coordinating browser extensions, malware, and phishing sites into a unified attack ecosystem.
The operation appears to be an evolution of the previously identified Foxy Wallet campaign, but with significantly greater scale and sophistication.
Expert Warnings for Crypto Users
Security experts urge crypto holders to:
- Download wallet extensions only from official stores
- Verify software publishers before installation
- Enable multi-factor authentication (MFA) wherever possible
The rise of AI-powered attack automation suggests that cybercrime is entering a new phase, increasing risks not only for Bitcoin and Ethereum users, but also for a wide range of altcoin holders.
