Cybercrime Group GreedyBear Steals $1 Million in Coordinated Crypto Heist

Generated by AI AgentCoin World
Friday, Aug 8, 2025 6:18 am ET1min read
Aime RobotAime Summary

- GreedyBear cybercriminals stole $1M via multi-vector attacks using fake crypto wallets, malware, and scam sites.

- Group deployed 150+ malicious Firefox extensions and 500+ malware programs to harvest wallet credentials and deploy ransomware.

- All operations centralized through single server, with AI-generated code accelerating attack development and evasion.

- Experts warn of rising sophistication in crypto crime, urging stricter browser security and user caution with extensions.

A cybercrime group known as GreedyBear has executed a $1 million cryptocurrency heist using a highly coordinated multi-vector attack strategy, according to Koi Security [1]. Unlike traditional cybercriminals who often specialize in a single method, GreedyBear simultaneously employs fake browser wallet extensions, crypto-targeting malware, and scam websites to maximize theft efficiency.

The group has deployed over 150 counterfeit browser extensions on the Firefox marketplace, mimicking well-known cryptocurrency wallets like MetaMask, TronLink, Exodus, and Rabby Wallet [1]. Initially designed to pass Firefox’s review process, these extensions later receive malicious code updates that siphon wallet passwords and private keys directly from users’ interfaces. The extensions are a key vector for the group’s large-scale data harvesting operations.

Alongside the extensions, GreedyBear has distributed nearly 500 malware programs targeting crypto users [1]. These include tools such as LummaStealer, which extract wallet information, and Luca Stealer, a ransomware tool that locks devices and demands cryptocurrency payments. Many of these malicious programs are disseminated through Russian websites offering pirated software.

The third element of the operation involves a network of imitation crypto product websites [1]. These are not simple phishing pages but are crafted to closely resemble genuine wallet login interfaces, hardware device portals, and wallet repair services. These sites are designed to trick users into entering sensitive information under the false impression of seeking support.

All components of the GreedyBear operation are controlled from a single server and IP address [1]. The centralized infrastructure is suspected of managing stolen data, facilitating ransomware attacks, and hosting the scam websites. Analysts believe the group is leveraging AI-generated code to accelerate the development of new attack methods, making the threats more difficult to detect and block.

Cybersecurity experts are cautioning that this level of sophistication and multi-channel coordination may become a new standard in crypto-related cybercrime [1]. They recommend stronger security measures for browser extension stores, increased transparency from developers, and greater caution among users when installing extensions or downloading software online.

Source: [1] Cybercrime Group GreedyBear Ramps Up $1M in Crypto Heist (https://coinmarketcap.com/community/articles/6895cbc6fbf0d76ec0d0a6e1/)

Comments



Add a public comment...
No comments

No comments yet