Particle.news

Download on the App Store

GreedyBear Crypto-Theft Campaign Persists After Firefox Extensions Takedown

Researchers say GreedyBear still harvests wallet credentials through malware executables, scam websites, probes Chrome’s extension market following Mozilla’s Firefox add-ons takedown

malware
Image
GreedyBear Scam: 150 Fake Crypto Wallet Extensions Found on Firefox Marketplace
Image

Overview

  • Koi Security uncovered GreedyBear’s use of “Extension Hollowing,” uploading over 150 benign Firefox add-ons and padding them with fake reviews before stripping branding and injecting code to steal wallet credentials and IP addresses.
  • Mozilla removed all identified GreedyBear extensions from its Firefox Add-ons store, but the group’s central command-and-control server at 185.208.156.66 remains active for data exfiltration.
  • Nearly 500 malicious Windows executables—including credential stealers, ransomware variants and generic trojans—were linked to the same infrastructure and spread via Russian-language piracy websites.
  • A network of professional-grade scam websites impersonating wallet products and repair services continues to trick users into submitting private keys, recovery phrases and payment data.
  • Analysis of GreedyBear’s toolkit reveals AI-generated artifacts that enable rapid scaling and evasion, and researchers report signs of expansion into the Chrome Web Store.