In one of the most sophisticated crypto scams to date, a cybercriminal group known as GreedyBear has stolen over $1 million from unsuspecting users leveraging a dangerous mix of malicious browser extensions, Windows malware, and fake crypto service websites. Security researchers say this isn’t your average scam it’s a full-blown, industrial-grade operation powered in part by AI-generated code.
A New Kind of Threat: GreedyBear’s Massive Playbook
Unlike most cybercrime groups that focus on a single attack method like phishing or ransomware, GreedyBear is using everything at once and at scale.
According to a detailed report from Koi Security, the group has deployed over 650 malicious tools aimed specifically at cryptocurrency wallet users. Tuval Admoni, a researcher at Koi, said the group’s approach “redefines what industrial-scale crypto theft looks like.”
Malicious Browser Extensions: Fake Tools, Real Damage
The group has taken browser-based attacks to a new level with what researchers call “Extension Hollowing.”
Here’s how it works:
- They release innocent-looking Firefox extensions like link cleaners or video downloaders.
- These get padded with fake five-star reviews to build trust.
- Later, they’re secretly converted into tools that impersonate crypto wallets like MetaMask, TronLink, Exodus, and Rabby.
Once installed, these weaponized extensions silently harvest users’ wallet credentials and send them directly to GreedyBear’s servers. This tactic builds on their earlier campaign dubbed “Foxy Wallet,” which exposed 40 such rogue extensions back in July.
Windows Malware: Cracked Software, Hidden Dangers
Koi Security also uncovered nearly 500 malicious Windows executables linked to the same infrastructure. These aren’t just viruses they include everything from credential stealers to ransomware variants and modular trojans that can evolve or update over time.
A major distribution channel? Russian-language websites offering pirated or cracked software. It’s a sneaky way to reach users outside the typical crypto crowd especially those less likely to be running strong security tools.
Fake Crypto Services: Not Just Phishing, but Professional Fakes
As if malware and browser extensions weren’t enough, GreedyBear also runs a network of scam websites that pose as legitimate crypto services. Think:
- Fake hardware wallet shops
- Bogus “wallet repair” services
- Phony crypto utilities that look professionally designed
Instead of tricking users into logging into fake exchange portals (the typical phishing approach), these sites convince users to hand over private keys, seed phrases, or credit card details under the guise of “helping” them.
Some of these scam websites are still active, quietly collecting sensitive information in real time.
One Central Hub Ties It All Together
Koi researchers found a single IP address (185.208.156.66) tying together the group’s entire infrastructure extensions, malware, scam websites, everything. This centralized system allows GreedyBear to:
- Manage all stolen credentials and data
- Push updates to malware tools
- Quickly adapt based on what’s working
Even more worrying? Investigators found AI-generated code artifacts in several of the malicious files suggesting the group is using artificial intelligence to generate, adapt, and deploy malware faster than ever.
“This isn’t a passing trend,” warns Admoni. “It’s the new normal. As attackers arm themselves with increasingly capable AI, defenders must respond with equally advanced security tools.”
Bottom Line
GreedyBear is not just another scam group. They’re industrializing crypto theft mixing AI tools with multiple attack vectors to maximize their reach and efficiency. Over $1 million has already been stolen, and with hundreds of tools still in circulation, that number could keep climbing.
What you can do:
- Avoid installing browser extensions from unknown or new publishers.
- Never download pirated or cracked software it’s a hotbed for malware.
- Double-check any crypto service websites, even if they look polished.
- Use trusted antivirus and security tools that detect malware and trojans.
- Always verify URLs and be wary of entering recovery phrases or private keys online.
Stay safe, stay skeptical, and always think twice especially when your crypto is at stake.
