• TEXT= DATE: 08.12.2025 BRIDGE Summit | 8-10 Dec 2025 | Abu Dhabi
  • TIMER= 08.12.2025
  • BUTTON= DISCOVER MORE
  • bitcoinBitcoin (BTC) $ 42,977.00 0.18%
  • ethereumEthereum (ETH) $ 2,365.53 1.12%
  • tetherTether (USDT) $ 1.00 0.2%
  • bnbBNB (BNB) $ 302.66 0.19%
  • solanaSolana (SOL) $ 95.44 1.28%
  • xrpXRP (XRP) $ 0.501444 0.1%
  • usd-coinUSDC (USDC) $ 0.996294 0.34%
  • staked-etherLido Staked Ether (STETH) $ 2,367.26 1.4%
  • cardanoCardano (ADA) $ 0.481226 2.68%
  • avalanche-2Avalanche (AVAX) $ 34.37 1.19%
  • bitcoinBitcoin (BTC) $ 42,977.00 0.18%
    ethereumEthereum (ETH) $ 2,365.53 1.12%
    tetherTether (USDT) $ 1.00 0.2%
    bnbBNB (BNB) $ 302.66 0.19%
    solanaSolana (SOL) $ 95.44 1.28%
    xrpXRP (XRP) $ 0.501444 0.1%
    usd-coinUSDC (USDC) $ 0.996294 0.34%
    staked-etherLido Staked Ether (STETH) $ 2,367.26 1.4%
    cardanoCardano (ADA) $ 0.481226 2.68%
    avalanche-2Avalanche (AVAX) $ 34.37 1.19%
image-alt-1BTC Dominance: 58.93%
image-alt-2 ETH Dominance: 12.89%
image-alt-3 BTC/ETH Ratio: 26.62%
image-alt-4 Total Market Cap 24h: $2.51T
image-alt-5Volume 24h: $144.96B
image-alt-6 ETH Gas Price: 5.1 Gwei
 

MORE FROM SPONSORED

LIVE Web3 News

 

ARTICLE INFORMATION

Fake Versions of MetaMask exposed

Fake Versions of MetaMask exposed in massive GreedyBear crypto theft campaign

https://icn.live/wp-content/uploads/2025/08/Fake-Versions-of-MetaMask-exposed.mp3
  • by ICN.live
Adnan Al-Jaziri

Fake Versions of MetaMask exposed as part of a major hacking operation by the Russian cybercrime group GreedyBear.

According to Koi Security, the group has stolen over $1 million in the past five weeks, primarily by distributing malicious Firefox extensions disguised as legitimate crypto wallets. Victims include international and English-speaking crypto users, targeted through sophisticated deception tactics.

The hackers created fake versions of widely used wallets such as MetaMask, Exodus, Rabby Wallet, and TronLink. They used a method called Extension Hollowing, uploading harmless versions of extensions to pass security checks, then later updating them with malicious code. Fake reviews boosted their credibility, tricking unsuspecting users into downloading them. Once installed, these extensions harvested wallet credentials, enabling direct theft of funds.

Fake Versions of MetaMask exposed as a high-revenue attack vector

Koi Security’s findings reveal that GreedyBear’s Firefox extension campaign generated most of the $1 million in stolen funds. This approach is an evolution of their previous operation, which ran between April and July and involved only 40 malicious extensions. The latest campaign used 150 weaponized extensions, significantly expanding their attack scale.

Alongside the Firefox operation, GreedyBear deployed nearly 500 malicious Windows executables. These were hosted on Russian sites offering pirated or repacked software. This malware arsenal included credential stealers, ransomware, and trojans. Koi Security believes this demonstrates the group’s flexible and industrialized malware distribution pipeline.

ANOTHER MUST-READ ON ICN.LIVE: Gold Futures Record surges as tariffs shake up safe-haven assets landscape

Growing scale of international crypto wallet attacks

The combination of fake extensions, phishing sites, and malware makes GreedyBear a formidable threat to crypto security. Their tactics bypass standard browser marketplace protections and exploit user trust through deceptive ratings and reviews. The exposure of fake versions of MetaMask and other wallets underscores the urgent need for heightened user awareness and stricter extension vetting processes.

Crypto users are urged to verify wallet downloads only from official sources, avoid browser extensions without a strong track record, and remain vigilant about extension permissions. Security experts also recommend keeping security software updated and regularly monitoring wallet activity.

JOIN ICN.live on TELEGRAM for LIVE NEWS at Your Fingertip

SHARE

How were the fake versions of MetaMask created?

The hackers used a tactic called Extension Hollowing. They first uploaded non-malicious versions of popular crypto wallet extensions to pass browser security checks. After gaining approval, they updated these extensions with malicious code designed to harvest wallet credentials. This method allowed them to remain undetected until users were already compromised. By combining this with fake positive reviews, they successfully tricked users into downloading the infected wallets.

How much money did GreedyBear steal using fake wallet extensions?

According to Koi Security, the Firefox extension campaign was responsible for most of the $1 million stolen in the last five weeks. This marks a significant increase compared to earlier campaigns, which involved fewer extensions and likely generated lower profits. The larger scale and improved deception strategies made the latest operation particularly effective and dangerous.

Which wallets were targeted in this attack?

The campaign primarily targeted MetaMask, Exodus, Rabby Wallet, and TronLink. These wallets are among the most widely used in the crypto community, making them attractive targets for criminals. By imitating the official extensions, GreedyBear exploited the trust users place in these brands, significantly increasing their chances of stealing valuable credentials and cryptocurrency.

How can users protect themselves from fake wallet extensions?

Users should always download wallet extensions directly from official sources and double-check the publisher’s identity. Avoid installing browser extensions with few downloads or questionable reviews. Regularly monitor wallet activity for unusual transactions and revoke permissions for unused extensions. Security experts also advise keeping browsers and security software updated, and being skeptical of unsolicited extension recommendations. These measures can greatly reduce the risk of falling victim to similar attacks.

FEATURED

EVENTS

Days
Hr
Min
Sec
 

ICN TALKS EPISODES