The GreedyBear campaign involves over 150 malicious Firefox extensions that impersonate cryptocurrency wallets to steal digital assets, with a focus on bypassing safeguards using Extension Hollowing. It also includes AI-generated scams across multiple platforms, including YouTube, targeting cryptocurrency users. #FoxyWallet #ExtensionHollowing
Keypoints
- The GreedyBear campaign uses fake extensions to impersonate popular crypto wallets like MetaMask and Exodus.
- Threat actors employ Extension Hollowing to bypass security reviews and weaponize seemingly legitimate extensions later.
- Fake extensions exfiltrate wallet credentials and IP addresses to attacker-controlled servers, facilitating theft.
- The campaign has expanded from Firefox to other browsers, such as Chrome, using similar tactics and infrastructure.
- AI tools are used to generate scam content on platforms like YouTube, increasing the scale and sophistication of attacks.
Read More: https://thehackernews.com/2025/08/greedybear-steals-1m-in-crypto-using.html