Over 1 Million Dollars Compromised: GreedyBear's Sophisticated Browser Attack Campaign

failed_dev_successful_ape · 2025-12-26T20:33:11+00:00

The Russian hacker group GreedyBear has executed a major cryptocurrency theft, exceeding $1 million, using modified Firefox extensions, malicious executables, and phishing. Their strategy involves exploiting app store vulnerabilities and enhancing credibility with fake reviews.

failed_dev_successful_ape

2025-12-26 20:33:11

Abstract generation in progress

The Russian hacker group GreedyBear has successfully orchestrated a massive cryptocurrency theft operation over the past five weeks, with losses exceeding 1 million dollars, according to a recent security report from Koi Security. The cybercriminals deployed an arsenal of 150 modified Firefox extensions, approximately 500 malicious Windows executables, and dozens of phishing pages to execute their attack strategy.

Browser Extension Exploitation: The Primary Revenue Driver

The Firefox extension campaign has proven to be the group’s most lucrative method, generating the majority of the 1 million dollars in stolen funds. The attack methodology relies on a deceptive technique called Extension Hollowing, which bypasses app store security protocols. The hackers begin by uploading legitimate-appearing versions of popular cryptocurrency wallets—including MetaMask, Exodus, Rabby Wallet, and TronLink—to distribution channels. Once users download these extensions, subsequent updates inject malicious code into the applications.

To enhance credibility, the group artificially inflates user ratings through fake positive reviews, creating a false sense of legitimacy. This social engineering layer significantly increases download rates among unsuspecting cryptocurrency users. Once installed, the compromised extensions function as credential harvesting tools, silently capturing wallet private keys and access credentials. These stolen credentials are then weaponized to drain cryptocurrency holdings from victims’ wallets.

Diversified Attack Infrastructure

Beyond browser-based threats, GreedyBear operates a parallel attack stream using nearly 500 malicious Windows executables. These files are strategically distributed through Russian software repositories that host pirated or modified applications. The executables serve multiple purposes: some function as credential stealers targeting stored account information, others deploy ransomware to encrypt victim data, and several operate as trojans designed to establish persistent system access.

This multi-layered approach demonstrates sophisticated operational planning, allowing the group to maintain multiple infection vectors and adapt to security countermeasures employed by individual users and platforms.

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.