A hacking group known as GreedyBear has executed one of the largest and most intricate cryptocurrency heists of the year—hiding over $1 million using compromised browser add-ons, phishing sites, and malware. The scheme, which was discovered by cyber security firm Koi Security, has raised serious concerns about the rising level and sophistication of crypto-targeted cybercrime.
It was not a hurried smash-and-grab. It was a well-coordinated, multi-vector attack—i.e., GreedyBear did not just have one play. They launched attacks on several fronts at once, creating an ecosystem of deception that tricked users into handing over their wallet credential.
GreedyBear’s web of deception: From fake extensions to phony wallets
At the center of the GreedyBear campaign were 150+ malicious Firefox extensions, disguised as secure crypto wallets like MetaMask, TronLink, Exodus, and Rabby. These extensions secretly hacked wallet credentials and routed them to attacker-controlled servers.
To avoid detection, the group flooded the marketplace with fake five-star reviews, gaining trust before updating the extensions with malicious code. The result? A Trojan horse hiding in plain sight.
But GreedyBear didn’t stop there. They also distributed nearly 500 malware-infected Windows executables through sites offering cracked software, and launched polished fake websites promoting counterfeit hardware wallets, “repair services,” and fake crypto tools.
AI-Generated code induces cybercrime at scale
Perhaps the most unsettling discovery by researchers was the use of AI-generated code throughout the operation. This allowed GreedyBear to scale their campaign quickly, create new variants of their malware to evade detection, and automate many parts of their attack infrastructure. In the hands of organized cybercriminals, it’s becoming a tool for accelerating the pace and reach of attacks.
Koi Security referred to the campaign as “industrial scale,” and it’s easy to see why. GreedyBear’s methods blended technical sophistication, psychological manipulation, and AI-enhanced automation, creating a web of traps that even experienced crypto users could fall into.
How to protect yourself
While the campaign is still being investigated, the best protection starts with awareness. Here’s what you can do:
- Avoid downloading browser extensions from unofficial or unverified sources.
- Double-check URLs before entering sensitive information.
- Keep antivirus software updated, and scan your device regularly.
- Stick to official websites and verified app stores for wallets and tools.
As the crypto world grows, so does the creativity of those looking to exploit it. GreedyBear may have pulled off a big win this time, but the real victory lies in staying informed, alert, and one step ahead.
