âGreedyBear Hacking Group Steals Over $1M with Weaponized Browser Extensions
The Russian hacking group GreedyBear has reportedly stolen over $1 million in cryptocurrency in the past five weeks. Their primary method involves deploying 150 malicious Firefox extensions that mimic popular crypto wallets like MetaMask, Exodus, and Rabby Wallet, targeting international users.
GreedyBear utilizes "Extension Hollowing" to bypass security, uploading benign versions before updating them with malicious code. They also employ fake reviews to build trust. Once installed, these extensions steal wallet credentials. The group also distributes malicious Windows executables and operates phishing websites targeting crypto users.
Koi Security research indicates most attack domains link to a single IP address, suggesting a profit-driven criminal operation rather than state sponsorship.
Users are advised to install extensions only from verified developers, avoid pirated software, use official wallet software directly, and consider hardware wallets for significant holdings, purchasing them only from official manufacturers.