GreedyBear expands crypto theft with 150 malicious browser extensions and AI-driven malware

Generated by AI AgentCoin World
Friday, Aug 8, 2025 2:04 am ET2min read
Aime RobotAime Summary

- GreedyBear cybercriminals steal $1M+ via 150+ malicious browser extensions, scam sites, and crypto malware.

- Uses "Extension Hollowing" to bypass security checks and fake wallets like MetaMask to steal credentials.

- AI-generated code enables rapid adaptation, marking industrial-scale crypto theft with coordinated ransomware attacks.

- Experts warn of systemic crypto ecosystem exploitation, urging stronger verification and user vigilance against phishing tactics.

A sophisticated cybercriminal operation known as GreedyBear has intensified its efforts in stealing cryptocurrencies, employing a multifaceted strategy that includes over 150 malicious browser extensions, hundreds of scam websites, and crypto-themed malware to extract more than $1 million in digital assets [1]. Researchers at Koi Security describe this campaign as a redefinition of large-scale crypto theft, combining browser extensions, ransomware, and phishing techniques into a single, highly coordinated effort [1].

The group’s tactics include a method known as “Extension Hollowing,” in which legitimate extensions are submitted to marketplaces like Firefox to bypass security checks, before being covertly modified to steal wallet credentials [1]. Tuval Admoni, a Koi Security researcher, emphasized that GreedyBear is exploiting the trust users place in well-known platforms, using fake versions of popular crypto wallets such as MetaMask and TronLink to capture sensitive information [1]. Once installed, these extensions operate under the guise of trusted tools, making it difficult for users to detect the deception.

In addition to browser-based attacks, GreedyBear is also deploying malware specifically designed to target crypto wallets. Koi Security identified nearly 500 malware samples, including credential stealers and ransomware, which are often distributed through Russian websites offering pirated software [1]. These attacks are designed not just to extract data but also to demand ransoms in cryptocurrency, further complicating victims’ recovery efforts.

The third component of the GreedyBear strategy involves a network of scam websites that mimic legitimate crypto services, such as wallet repair or hardware devices. Unlike traditional phishing pages, these sites appear as polished, realistic product landing pages, misleading users into voluntarily submitting their information [1]. A single IP address was identified as the central hub for command-and-control, credential collection, and scam website operations, suggesting a high level of coordination among the attackers.

Notably, the use of AI-generated code indicates a new stage in the evolution of crypto-focused cybercrime, with the ability to rapidly adapt and scale malicious activities [1]. Deddy Lavid, CEO of cybersecurity firm Cyvers, warned that this represents a shift in the threat landscape, where attackers are no longer operating on an opportunistic basis but are instead adopting industrial-scale methods to systematically exploit the crypto ecosystem [1]. Lavid added that the attacks are effective because they inject malicious logic directly into wallet interfaces, bypassing traditional security measures.

The findings highlight the urgent need for stronger verification processes by browser vendors, greater transparency from developers, and increased user vigilance in identifying and avoiding malicious extensions and websites [1]. As the threat becomes more organized and technically advanced, the onus is on both users and platforms to adopt best practices such as multi-factor authentication, cold storage for digital assets, and regular security audits.

Source: [1] GreedyBear scam group ramps up crypto theft to 'industrial scale' (https://cointelegraph.com/news/greedybear-scam-crypto-theft-industrial-scale-koi-security)

Comments



Add a public comment...
No comments

No comments yet