Overview
- Koi Security uncovered GreedyBear’s use of “Extension Hollowing,” uploading over 150 benign Firefox add-ons and padding them with fake reviews before stripping branding and injecting code to steal wallet credentials and IP addresses.
- Mozilla removed all identified GreedyBear extensions from its Firefox Add-ons store, but the group’s central command-and-control server at 185.208.156.66 remains active for data exfiltration.
- Nearly 500 malicious Windows executables—including credential stealers, ransomware variants and generic trojans—were linked to the same infrastructure and spread via Russian-language piracy websites.
- A network of professional-grade scam websites impersonating wallet products and repair services continues to trick users into submitting private keys, recovery phrases and payment data.
- Analysis of GreedyBear’s toolkit reveals AI-generated artifacts that enable rapid scaling and evasion, and researchers report signs of expansion into the Chrome Web Store.