GreedyBear Hackers Steal $1M+ in Crypto with 650 Tools and Fake Wallets

GreedyBear’s $1 Million Crypto Theft: A New Era of Cybercrime

A major crypto heist has been uncovered by cybersecurity firm Koi Security, revealing the activities of a threat actor group known as GreedyBear. The group managed to steal over $1 million from users by deploying 650 malicious tools, including 150 malicious Firefox extensions and nearly 500 Windows executables. This attack showcases a new and sophisticated method called “Extension Hollowing,” which allows cybercriminals to exploit user trust in legitimate software.

How GreedyBear Operated

GreedyBear used a multi-step approach to infiltrate users’ systems. Initially, they created accounts on app marketplaces and uploaded seemingly harmless extensions such as link sanitizers or YouTube downloaders. These extensions had no real functionality but were designed to build credibility. Once the extensions gained positive reviews and user trust, the attackers replaced their code with malicious payloads while maintaining the original names, ratings, and install base.

This technique allowed GreedyBear to bypass security checks because the initial uploads appeared legitimate. According to Koi Security, this process involved:

• Opening a new marketplace account
• Posting 5–7 innocuous extensions
• Flooding the listings with fake positive reviews
• Replacing the code with malicious payloads while keeping the name, ratings, and install base intact

Once active, the malicious extensions captured wallet credentials directly from user input fields, transmitted the victim’s IP address, and exfiltrated data to a remote server controlled by the group. This method was previously seen in the Foxy Wallet campaign, where 40 malicious extensions were used. However, the scale of the current operation has more than doubled.

Malicious Windows Executables

In addition to browser add-ons, Koi Security found that nearly 500 malicious Windows executables were linked to GreedyBear’s infrastructure. These files were reportedly distributed through Russian websites hosting cracked or pirated software. The group also set up a network of scam websites posing as legitimate crypto hardware wallets and wallet-repair services. Unlike traditional phishing pages, these sites were presented as polished product landing pages, complete with fabricated UI mockups and fake branding.

The Rise of Crypto Hacks

The crypto industry is experiencing an unprecedented wave of theft. According to new data from blockchain analytics firm Chainalysis, over $2.17 billion was stolen from services in the first half of 2025—already surpassing all of 2024. If current trends continue, service-related thefts could exceed $4 billion by year’s end.

One of the most significant incidents occurred in March when North Korean hackers stole $1.5 billion from crypto exchange ByBit. This breach accounted for 69% of all funds stolen from services this year.

Personal Wallets Becoming Targets

While service breaches dominate headlines, Chainalysis also warned that personal wallets are becoming growing targets of stolen funds, representing 23.35% of all theft activity YTD. This shift is due to more individual crypto holders and the development of more sophisticated individual-targeting techniques. The growth of easy-to-deploy LLM AI tools may have contributed to this trend.

Chainalysis stated that stolen fund activity is the dominant concern for the crypto ecosystem in 2025. As the industry continues to grow, so too do the threats posed by cybercriminals like GreedyBear. Users must remain vigilant and take proactive steps to protect their digital assets.