Inside Russia’s $1M Crypto Heist: The GreedyBear Operation That Exploited Browser Trust

Cybersecurity researchers have exposed Greedy Bear, a Russia-linked hacking group accused of creating a network of fake cryptocurrency wallets to lure unsuspecting users. Disguised as legitimate services, these wallets allowed the group to harvest private keys and siphon digital assets.

A sprawling cybercrime campaign known as GreedyBear has quietly siphoned more than $1 million in cryptocurrency from unsuspecting users in just over a month, according to blockchain security firm Koi. This wasn’t the work of lone-wolf hackers targeting random wallets, it was an industrial-scale operation, tied to Russia, that weaponized browser extensions.

How GreedyBear Turned Browser Convenience into a Backdoor

GreedyBear’s strategy was simple. The group uploaded what appeared to be legitimate crypto wallet extensions to Mozilla’s Firefox add-on store. These wallets mimicked the branding of popular tools like MetaMask, TronLink, Exodus, and Rabby. The extensions also came with fake positive reviews to further lull users.

Once installed, the wallet lookalikes silently update themselves, swapping their harmless code for malicious scripts designed to capture seed phrases, passwords, and even IP addresses. The theft didn’t happen immediately; instead, it was triggered when victims attempted to use the wallets, often by presenting pop-up forms requesting “security confirmations” that led straight to the attackers.

This method is known as “extension hollowing”—and it’s particularly insidious because it doesn’t rely on breaking into a system through brute force or zero-day vulnerabilities. Instead, it exploits human trust and the built-in update mechanisms of legitimate platforms.

A Campaign at Industrial Scale

The scope of GreedyBear’s operation is what distinguishes it from other browser-based attacks. Researchers have tied the campaign to over 150 malicious Firefox extensions, close to 500 Windows malware executables, and a sprawling network of phishing websites masquerading as wallet repair services or hardware wallet vendors.

All of these moving parts were coordinated through a single central server, identified as IP address 185.208.156.66. From there, stolen data was funneled out, wallets were drained, and new malicious payloads were deployed. It is reported that the sophistication and size of the infrastructure point to a highly organized team with the resources to run ongoing campaigns.

Why This Attack Matters for Crypto Users Everywhere

GreedyBear isn’t the first cybercrime group to target the crypto ecosystem, but it reflects a worrying trend: the weaponization of platforms that users have been conditioned to trust. Unlike traditional phishing campaigns, which rely on luring users to suspicious websites, this attack used the official Firefox add-on store as its distribution hub. That means even experienced crypto users, people who know how to avoid shady download links, were at risk.

For individual users, this incident is a reminder that browser extensions remain one of the most dangerous weak points in digital security. For the crypto industry, it’s a wake-up call about the need for tighter verification standards in app stores and real-time monitoring of extension updates.

Could You Have Been Affected?

If you’ve installed any crypto-related Firefox extensions recently, especially wallets, it’s worth taking a closer look. Audit your browser’s add-ons and remove anything that wasn’t downloaded directly from a verified wallet provider’s own website. Even if you believe you’re safe, consider moving your funds to a new wallet with a fresh seed phrase. The GreedyBear malware was designed to operate silently until it was ready to strike.

Security analysts also recommend checking token approvals via tools like revoke.cash, scanning your system for malware, and avoiding downloads from pirated software platforms, which the campaign also leveraged to distribute ransomware and information-stealing malware.

The Respons And The Gaps

Mozilla has removed the malicious extensions from its store, but the action came only after the campaign was publicly reported. That leaves the burden of recovery squarely on the victims. Wallet providers like MetaMask have issued security alerts, yet there’s still no universal, proactive system in place to detect malicious updates before they reach end users.

This lag between detection and removal is where attackers like GreedyBear thrive. By the time a campaign is exposed, the wallets are already empty, the infrastructure may have shifted, and a fresh wave of malicious extensions is ready to go live.

The Bigger Picture

While GreedyBear’s motives appear to be purely financial, the operation shares traits with state-sponsored hacking groups: large-scale coordination, multi-platform targeting, and rapid deployment of infrastructure. 

In the end, the GreedyBear campaign isn’t just about the $1 million lost. It’s about the erosion of trust in the systems crypto users rely on daily. As long as browser extensions remain a central part of the Web3 experience, and as long as app stores fail to catch malicious actors before damage is done, campaigns like this will keep finding fertile ground.