Key Takeaways
- GreedyBear stole over $1 million from users using 150 malicious Firefox extensions and nearly 500 malicious Windows executables.
- The group used “Extension Hollowing” to turn trusted Firefox extensions into crypto-stealing tools.
- Chainalysis reports $2.17 billion stolen in 2025, already surpassing all of 2024.
Cybersecurity firm Koi Security has exposed a $1 million crypto hack by threat actor group GreedyBear, revealing the use of 650 malicious tools and over 100 weaponsized fake extensions.
The attack reportedly hijacked 150 Firefox extensions, impersonating popular crypto wallets, tricking users, and bypassing Firefox’s security systems.
Top Trending Crypto Articles
GreedyBear Crypto Hack
According to a blog post from Koi Security, the GreedyBear hack saw users lose over $1 million in crypto through a new technique called “Extension Hollowing.”
Rather than attempting to sneak malware through initial marketplace reviews, GreedyBear first builds credibility with benign uploads, then swaps them for weaponized versions later.
The process timeline:
- Open a new marketplace account.
- Post 5–7 innocuous extensions (link sanitizers, YouTube downloaders, utilities) with no real functionality.
- Flood the listings with fake positive reviews.
- Replace the code with malicious payloads while keeping the name, ratings, and install base intact.
“This approach allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review process, then weaponizing established extensions that already have user trust and positive ratings,” Koi Security explained.
Once active, the malicious extensions capture wallet credentials directly from user input fields in the extension, transmit the victim’s IP address, and exfiltrate data to a remote server controlled by the group.
Koi Security links this escalation to the earlier Foxy Wallet campaign, which involved 40 malicious extensions.
The scale has now “more than doubled,” according to the security firm.
Windows Executibles
In addition to the browser add-ons, nearly 500 malicious Windows executables were traced to GreedyBear’s infrastructure, according to the security firm.
Most were reportedly distributed through Russian websites hosting cracked or pirated software.
The group has also stood up a network of scam websites posing as legitimate crypto hardware wallets and wallet-repair services.
Unlike traditional phishing pages, these sites are presented as polished product landing pages, complete with fabricated UI mockups and fake branding.
Crypto Hacks on the Rise
The crypto industry is facing its most devastating year on record for theft, with over $2.17 billion stolen from services in the first half of 2025, according to new data from blockchain analytics firm Chainalysis.
That figure already surpasses 2024, and if current trends hold, service-related thefts could eclipse $4 billion by year’s end.
The most consequential incident came in March, when North Korean hackers stole $1.5 billion from crypto exchange ByBit.
Chainalysis said the breach accounted for 69% of all funds stolen from services this year.
- Total crypto losses from 2022 – 2025 | Credit: Chainalysis Team
While service breaches dominate the headlines, Chainalysis also warned that personal wallets are becoming growing targets of stolen funds, representing 23.35% of all theft activity YTD.
The firm said this is due to more individual crypto holders and the development of more “sophisticated individual-targeting techniques, potentially facilitated by the growth in easy-to-deploy LLM AI tools.”
In 2025, Chainalysis said that stolen fund activity is “the dominant concern” for the crypto ecosystem.
Top Trending Crypto Articles
Kurt Robson is a London-based reporter at CCN, specialising in the fast-moving worlds of crypto and emerging technology. He began his career covering local news in Cornwall after graduating from Falmouth University with First Class Honours in Journalism. There, he cut his teeth on everything from council meetings to missing swans.
He quickly rose through the ranks to become a frontline journalist at several of the UK’s leading national newspapers. Over the years, he has interviewed musicians and celebrities, reported from courtrooms and crime scenes, and secured multiple front-page exclusives.
Following the upheaval of the COVID-19 pandemic, Kurt shifted his focus to technology journalism—just ahead of the AI boom. With a natural curiosity and a trained eye for emerging trends, he has found a new rhythm in reporting on innovation.
At CCN, Kurt's work focuses on the cutting edge of crypto, blockchain, AI, and the evolving digital world. Drawing on his background in people-first reporting and his deep interest in disruptive tech, Kurt delivers stories that are insightful, entertaining, and human-centric.
