GreedyBear Cybercrime Group Steals Over $1 Million in Crypto Through Hundreds of Attack Tools
A sophisticated cybercrime campaign led by a group known as “GreedyBear” has successfully stolen more than $1 million worth of cryptocurrency, leveraging an extensive arsenal of malicious tools including fake browser wallet extensions, malware, and scam websites. This alarming development highlights the increasing industrial scale operations targeting crypto users worldwide.
Industrial-Scale Crypto Theft Using Multiple Attack Vectors
Cybersecurity firm Koi Security revealed the scope of the GreedyBear campaign, which has deployed over 650 malicious tools to compromise crypto wallet users. Tuval Admoni, a researcher at Koi Security, emphasized that GreedyBear has taken an unconventional approach by simultaneously using a combination of attack types — rather than specializing in just one method. “Most groups pick a lane — maybe they do browser extensions, or ransomware, or phishing sites — GreedyBear said, ‘Why not all three?’ And it worked. Spectacularly,” Admoni stated.
Over 150 Fake Crypto Browser Extensions Target Users
One key tactic involves publishing over 150 malicious browser extensions on the Firefox marketplace. These fake extensions impersonate popular wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet. Using an “Extension Hollowing” technique, the group initially releases a benign extension to bypass marketplace security reviews and gain user trust, then later replaces it with a malicious version designed to steal wallet credentials entered into counterfeit wallet interfaces.
“This method allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review process and then weaponizing extensions that already have user trust and positive ratings,” explained Admoni.
Deddy Lavid, CEO of cybersecurity firm Cyvers, pointed out that the campaign exploits the confidence users place in browser extension stores. “Cloning popular wallet plugins, inflating reviews, then silently swapping in credential-stealing malware is a powerful attack vector,” he noted.
Extensive Malware Targeting Crypto Wallet Information
In addition to browser extensions, GreedyBear deploys nearly 500 pieces of crypto-themed malware. This includes credential stealers like LummaStealer, which harvest wallet data, and ransomware variants such as Luca Stealer that demand payments in cryptocurrency. The majority of this malware is distributed through Russian websites offering cracked or pirated software, further expanding the group’s criminal reach.
Fake Websites as Part of the Campaign
The third component of the group’s attack trifecta involves a network of sophisticated scam websites masquerading as legitimate crypto products and services. Unlike typical phishing pages that mimic login screens, these look like polished landing pages advertising digital wallets, hardware devices, or wallet repair services.
“These fake websites act as convincing facades to lure victims,” said Admoni. A single server manages the campaign’s command-and-control, credential collection, ransomware coordination, and scam websites, streamlining operations across all three attack channels. The entire campaign is controlled from one IP address, illustrating a highly centralized and efficient criminal infrastructure.
AI-Generated Code Fuels Rapid Scaling
Significantly, the campaign shows evidence of incorporating AI-generated code, allowing rapid development and diversification of crypto attacks at scale. According to analysts, this marks a new evolution in crypto-focused cybercrime, with automated workflows that outpace traditional security defenses.
Admoni warned, “This isn’t a passing trend; it’s the new normal.” Lavid echoed this concern, stating, “These attacks exploit user trust and evade static defenses by injecting malicious logic directly into wallet user interfaces.”
Calls for Increased Vigilance and Stronger Protections
Given the sophistication of GreedyBear’s tactics, experts call for enhanced scrutiny of browser extensions by marketplace vendors, transparency from developers, and heightened vigilance from users. “Stronger vetting systems and user awareness are critical to counter these increasingly complex scams,” said Lavid.
This campaign serves as a stark reminder of the persistent risks in the cryptocurrency ecosystem, emphasizing the need for robust security measures as digital asset adoption continues to grow.
For further details on protecting yourself from crypto scams and malware, users are advised to verify browser extensions carefully, avoid downloading unverified software, and remain cautious when interacting with crypto-related websites.
Reported by Martin Young, Cointelegraph – June 2024
excellent post.Never knew this, appreciate it for letting me know.