Reports from Koi Security reveal the group is running a coordinated campaign that mixes malicious browser extensions, malware, and scam websites — all under one network.
This marks a sharp rise from its earlier “Foxy Wallet” operation in July, which involved 40 Firefox extensions.
These extensions, released under fresh publisher accounts, collect fake positive reviews to appear trustworthy. Later, they are swapped for malicious versions impersonating wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.
Once installed, they grab credentials from input fields and send them to GreedyBear’s control servers.
Investigators have also tied nearly 500 malicious Windows files to the same group. Many of these belong to well-known malware families such as LummaStealer, ransomware similar to Luca Stealer, and trojans acting as loaders for other harmful programs.
Distribution frequently occurs through Russian-language websites that host cracked or “repacked” software. Targeting those seeking free software, the attackers reach far beyond the crypto community.
Modular malware was also found by Koi Security, in which operators can add or swap functions without deploying completely new files.
Some of these are said to offer hardware wallets, and others are fake wallet repair services for devices such as Trezor.
Also on offer are fake wallet apps with good-looking designs that trick users into inputting recovery phrases, private keys, and payment information.
Unlike standard phishing sites that copy exchange login pages, these scam pages look more like product or support portals.
Reports added that some of them remain active and are still collecting sensitive data, while others are on standby for future use.
Investigators found that nearly all domains tied to these operations lead back to a single IP address — 185.208.156.66. This server acts as the campaign’s hub, handling stolen credentials, coordinating ransomware activity, and hosting scam sites.
Featured image from Unsplash, chart from TradingView
