GreedyBear Heist: $1 Million in Crypto Stolen Through Over 650 Scam Tools

Researcher Tuval Admoni stated that the group has moved beyond typical scams and is operating at a much larger scale.

While many attackers focus on one method, such as phishing websites or fake browser add-ons, GreedyBear spreads fake browser extensions, builds convincing scam websites, and uses harmful software to steal information from crypto users.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

Toobit Tutorial For Beginners (FULL Animated 2025 Guide)

SUBSCRIBE

ON YOUTUBE

Koi Security found more than 150 of these fake add-ons on the Firefox extension store. They copied the appearance of crypto wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.

To avoid getting caught, GreedyBear first uploads a harmless version of the extension to pass store checks. After it is approved and gets good reviews, they update it to include code that can steal users’ wallet details.

Admoni said, "These fake tools collect login details from users by pretending to be real wallet interfaces".

The report also explained that GreedyBear has built over 650 separate tools that target people who use crypto wallets. Additionally, the group runs fake websites that look like exchanges or customer support pages. They also use malware to change wallet addresses or steal copied data during transactions.

Admoni stated in the report:

Most groups pick a lane, maybe they do browser extensions, or they focus on ransomware, or they run scam phishing sites. GreedyBear said, 'Why not all three?' And it worked. Spectacularly.

Recently, cybersecurity firm CTM360 reported that scammers are running a campaign called "ClickTok". What is it? Read the full story.