Wednesday, June 3, 2026
Latest:
News

Russian group uses fake MetaMask clones on Firefox to steal $1 million, researchers say

HackAcademy

A Russian cybercrime group known as GreedyBear has stolen more than one million dollars in cryptocurrency using weaponised Firefox extensions that impersonate popular wallets, according to new research from Koi Security. The campaign has scaled up in recent weeks and is aimed at international and English speaking users.

Investigators say the operation relies on Extension Hollowing. Attackers first upload harmless add ons to the Mozilla marketplace to build trust, seed them with fake positive reviews, then push updates that inject credential stealing code. Many of the 150 malicious extensions copied brands such as MetaMask, Exodus, Rabby Wallet and TronLink. Once installed, they capture wallet credentials and send them to attacker infrastructure.

The same group also runs a parallel pipeline of nearly 500 Windows malware samples, distributed via Russian sites that host pirated or repacked software. On top of that, it operates dozens of convincing phishing sites that pose as wallet products, hardware devices or “repair” services. Koi links almost all of this activity to a single internet address, 185.208.156.66, which appears to act as a central hub for command and control and data collection.

Researchers say the use of one IP address points to tight central control rather than a dispersed network. This suggests organised criminal activity for profit, not state direction. They also note that the Firefox extensions primarily hit global and English speaking users, while the Windows malware focused more on Russian speakers.

The current wave is larger than an earlier GreedyBear effort that involved about 40 extensions between April and July this year. Analysts expect the group to keep evolving its tools and to expand to other browsers.

How to protect your funds

  • Install extensions only from developers with a long, verifiable history, and review update notes before approving changes.

  • Avoid pirated software sites, which commonly bundle credential stealers.

  • Prefer official wallet applications. If you hold significant assets, use a hardware wallet bought directly from the manufacturer.

  • Rotate passwords and seed phrases if you suspect exposure, and enable strong multi factor authentication wherever possible.

Users are urged to audit their installed extensions, remove anything unfamiliar or newly renamed, and monitor accounts for unauthorised activity.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *