So, it turns out this hacker group called GreedyBear has pulled off a pretty insane crypto heist—stealing over $1 million by slipping malicious code into normal-looking Firefox extensions.
Here’s what they did: they’d first upload harmless tools, like screen recorders or video downloaders. Once a bunch of people installed them, they quietly pushed out updates that could grab users’ wallet info. It’s something called extension hollowing, and honestly, it’s scary how subtle it is. These extensions even had fake 5-star reviews to make them look legit.
🚨 Meet GreedyBear, the Fortune 500 of Crypto Theft
We just uncovered a coordinated attack campaign operating at unprecedented scale:
– Over 150 weaponized Firefox extensions
– Over 500 malicious Windows executables
– Dozens of phishing websitesAll managed from a centralized… pic.twitter.com/x7Lr3cd968
— ExtensionTotal – Malware Updates (@extensiontotal) August 7, 2025
Once the malicious update was live, it started targeting wallet data from MetaMask, TronLink, Phantom, and a few others. The stolen credentials were then sent straight to their servers—just like that.
Koi Security, the firm that looked into all this, said that GreedyBear also used malware-laced files and fake wallet-related websites to trap users. Some of these phishing sites looked like official pages, which made it even harder to tell what was real.
Also—this is kinda wild—a good chunk of the code in their malware seems to have been AI-generated, which maybe explains how they pulled this off at scale without being noticed for so long. Oh, and now similar stuff is popping up on Chrome and Edge too.
Conclusion
At this point, even browser extensions aren’t safe anymore. If you’re into crypto, just… be extra careful. Always double-check what you’re downloading—and if something feels off, it probably is.
