A hacker group known as GreedyBear has stolen more than $1 million in cryptocurrency in a massive cyberattack. Security researchers say the hackers ran the operation like a factory, using multiple attack methods at the same time to trick people, steal passwords, and empty digital wallets.
The hackers used 150 harmful Firefox browser extensions, nearly 500 infected computer programs, and dozens of fake websites to target cryptocurrency users. They invented a new trick called “Extension Hollowing.” It let them bypass browser security checks. It also helped them gain user trust. Then they launched the attack.
How the GreedyBear Hack Worked
A single server controlled the entire operation, including browser extensions, malicious programs, and scam websites, and held the stolen funds. Researchers say GreedyBear has grown from an earlier smaller campaign called “Foxy Wallet,” which used only 40 harmful extensions, into a highly organised and much larger operation targeting cryptocurrency users worldwide.
The hackers built browser extensions that looked and worked like real cryptocurrency wallets. They copied the design of popular wallets like MetaMask, TronLink, Exodus, and Rabby Wallet. When people installed these fake extensions, they worked normally on the surface, but secretly recorded everything typed into wallet login boxes and sent the information to the hackers.
To avoid suspicion, GreedyBear didn’t upload harmful extensions immediately. Instead, they first created harmless ones, such as link cleaners and video download tools. They published 5–7 of these safe-looking extensions under a single developer account and even posted fake positive reviews to boost ratings.
Once the extensions had good reputations and user trust, the hackers updated them with malicious code, changed their names and icons, and turned them into tools for stealing cryptocurrency. This is what researchers call Extension Hollowing. Because the extensions were already approved by the browser marketplace, the security checks were bypassed.
The stolen data was sent to a single control server that also handled malware on Windows computers. Nearly 500 malicious programs were spread through Russian websites offering cracked or pirated software. These programs installed more harmful tools on victims’ computers, increasing the chances of stealing wallet details.
A Web of Fake Wallets and Scam Sites
Alongside the browser attack, GreedyBear set up convincing fake websites. Some claimed to sell cryptocurrency hardware wallets, using fake brand names and realistic product pictures. Others offered “wallet repair services” for well-known devices like Trezor.
These fake sites asked for personal details, wallet recovery phrases, and even payment information. The hackers used this information to gain control over victims’ cryptocurrency accounts.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
Security teams also found that the same central server used for the Firefox attacks was connected to a fake Chrome extension called “Filecoin Wallet.” This means the hackers are not only targeting Firefox users but are also creating versions for Chrome and possibly other browsers like Microsoft Edge.
Researchers say all the malicious domains used in the campaign were connected to one IP address, giving the hackers a unified command-and-control system. This setup allowed them to run phishing attacks, spread ransomware, and collect stolen credentials from one place, making the operation more efficient and harder to detect.
AI-Driven Cybercrime on the Rise
Investigators also found signs that the hackers used AI-generated code to speed up their work. By using AI, the group could quickly create new attack tools, change their designs to avoid detection, and scale their operations to a much larger number of victims.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
This is not the first large-scale crypto attack this year. Recent incidents include millions lost in phishing scams, account hijackings, and protocol exploits. In the first half of 2025 alone, more than $2.2 billion has been stolen across 344 reported incidents.
The GreedyBear campaign shows how cybercriminals are combining different tricks — browser hijacking, fake websites, malicious programs, and AI-generated code — to launch multi-vector attacks on cryptocurrency users. With so many entry points, even careful users can become victims without realising it until their wallets are empty.
