GreedyBear boosts crypto theft to industrial scale with $1M in stolen assets

Generated by AI AgentCoin World
Friday, Aug 8, 2025 1:57 am ET2min read
Aime RobotAime Summary

- Cybercriminal group GreedyBear has escalated crypto theft to an "industrial scale," stealing over $1 million via 650+ malicious tools targeting wallets.

- The group uses browser extensions, ransomware, and phishing tactics, including "Extension Hollowing" to bypass security checks and steal credentials.

- AI-generated code enables rapid attack diversification, with scam websites and malware mimicking legitimate crypto tools to exploit user trust.

- Experts warn this marks a new normal in crypto cybercrime, urging stronger security protocols and user awareness to combat multi-vector threats.

A cybercriminal group dubbed "GreedyBear" has significantly escalated its operations to steal cryptocurrency on what researchers describe as an "industrial scale," according to a report by cybersecurity firm Koi Security [1]. The group employs a multi-pronged strategy involving malicious browser extensions, crypto-themed malware, and a network of scam websites, collectively compromising user assets on a large scale.

The campaign has reportedly generated over $1 million in stolen cryptocurrency through more than 650 malicious tools targeting crypto wallets [1]. Koi Security researcher Tuval Admoni noted that GreedyBear’s approach is unconventional and highly effective, combining browser extensions, ransomware, and phishing-like tactics. “Most groups pick a lane — maybe they do browser extensions, or they focus on ransomware — GreedyBear said, ‘why not all three?’ And it worked. Spectacularly,” Admoni said [1].

A significant portion of the attack infrastructure involves malicious browser extensions. The group has infiltrated the Firefox browser marketplace with over 150 fake extensions that mimic well-known crypto wallets, including MetaMask, TronLink, Exodus, and Rabby Wallet [1]. These extensions use a technique known as "Extension Hollowing," where a legitimate-looking extension is first approved by the marketplace, only to later be modified to steal wallet credentials [1]. Admoni explained that this method allows the group to bypass initial security checks and then exploit user trust to carry out theft [1].

Cyvers CEO Deddy Lavid highlighted the campaign's exploitation of user trust in extension stores. He noted that attackers clone popular wallet plugins, artificially inflate positive reviews, and then silently replace the extensions with credential-stealing malware [1]. One such example identified in the report is a malicious Exodus Wallet extension [1].

In addition to browser-based attacks, GreedyBear has deployed nearly 500 crypto-themed malware samples, many distributed through Russian websites offering pirated or cracked software. These include credential stealers like LummaStealer and ransomware variants such as Luca Stealer [1]. These malware samples often mimic legitimate tools, making it difficult for users to detect their true purpose [1].

The third component of the campaign is a network of scam websites that mimic crypto-related products and services. These are not traditional phishing pages but sophisticated landing pages that appear to promote digital wallets, hardware devices, or wallet repair services [1]. Admoni noted that these sites are part of a broader infrastructure, with a single IP address acting as a central hub for command-and-control functions, credential collection, and ransomware coordination [1].

The use of AI-generated code further enables the group to rapidly scale and diversify its attacks [1]. Admoni warned that this marks a new evolution in crypto-focused cybercrime, stating, “This isn’t a passing trend — it’s the new normal” [1]. Lavid added that such tactics “exploit user expectations and bypass static defenses by injecting malicious logic directly into wallet UIs” [1], underscoring the need for stronger security measures and greater user awareness.

The scale and sophistication of the GreedyBear campaign reflect the growing complexity of cyber threats in the cryptocurrency sector. As attackers continue to leverage multiple vectors and advanced techniques, the challenge for platform providers and users becomes increasingly formidable. The report serves as a stark reminder of the need for robust security protocols and continuous vigilance in the digital asset ecosystem [1].

Source: [1] GreedyBear scam group ramps up crypto theft to 'industrial scale' - Cointelegraph (https://cointelegraph.com/news/greedybear-scam-crypto-theft-industrial-scale-koi-security)

Comments



Add a public comment...
No comments

No comments yet