GreedyBear’s AI-Driven Attacks Signal New Era in Crypto Cybercrime

Russia-linked cybercrime group GreedyBear has stolen over $1 million in cryptocurrency within just five weeks, according to cybersecurity researchers. The operation represents a major escalation in the group’s activities, leveraging AI-generated code and a growing arsenal of malicious browser extensions.

150 Malicious Firefox Extensions Masquerading as Crypto Wallets

? GreedyBear has stolen $1M+ in crypto, ramping up cyber theft risks with industrial-scale tactics.
? Two Seas Capital opposes Core Scientific’s $9B buyout, citing undervaluation—potentially shifting sector valuations.#Crypto #Cybersecurity #Investing pic.twitter.com/zmNhj5nZAB
— Market Machina (@market_machina) August 8, 2025

GreedyBear has deployed 150 fraudulent Firefox extensions imitating popular crypto wallets such as MetaMask and Exodus. This is a sharp increase from 40 extensions identified between April and July, signaling a shift toward large-scale, coordinated cyberattacks.

The group’s preferred technique, known as extension hollowing, involves first releasing a legitimate wallet extension to build trust and pass security reviews. Once the extension gains users, it is updated with malicious code designed to harvest login credentials whenever victims attempt to sign in.

High-traffic wallets like MetaMask are especially targeted. The criminals also publish common tools—such as link cleaners and YouTube downloaders—to gather positive reviews before transforming them into credential-stealing malware.

AI’s Role in Accelerating the Attack Cycle

Code analysis revealed traces of AI-generated payloads, used both to create attack modules and evade security detection systems.

GreedyBear’s infrastructure is centrally managed through a single command server, coordinating browser extensions, malware, and phishing sites into a unified attack ecosystem.

The operation appears to be an evolution of the previously identified Foxy Wallet campaign, but with significantly greater scale and sophistication.

Expert Warnings for Crypto Users

Security experts urge crypto holders to:

Download wallet extensions only from official stores
Verify software publishers before installation
Enable multi-factor authentication (MFA) wherever possible

The rise of AI-powered attack automation suggests that cybercrime is entering a new phase, increasing risks not only for Bitcoin and Ethereum users, but also for a wide range of altcoin holders.