tradingkey.logo
搜尋

Analysts expose GreedyBear crypto scam campaign that stole $1M via Firefox extensions

Cryptopolitan2025年8月8日 13:53
facebooktwitterlinkedin

The GreedyBear scam group has stolen over $1 million in cryptocurrency through a coordinated attack campaign.

Koi Security reported that the group launched 150 weaponized Firefox extensions in addition to 500 malicious executables. The operation used fake wallet extensions, phishing websites, and malware to target crypto users across multiple platforms.

Firefox extension fraud targets popular crypto wallets

The GreedyBear scam launched over 150 malicious extensions on the Firefox store targeting cryptocurrency users. The malicious extensions impersonate popular wallets like MetaMask, TronLink, Exodus, and Rabby Wallet. The extensions all copy legitimate wallet interfaces to hijack user credentials when users try to log in.

The hackers initially produce genuine-looking extensions like link sanitizers and YouTube downloaders with limited functionality. With a lineup of 5-7 generic utilities with fresh publisher names, they typically establish credibility in the long term.

GreedyBear scam uses Firefox extensions to steal $1M in crypto: Koi Security
Fake Firefox extension: Source: Koi Security

Once the criminals have built trust through genuine positive reviews, they empty out these extensions totally. They alter names, icons, and inject harmful code but retain the original positive review history. This method enables harmful extensions to look trustworthy to new users surfing the marketplace.

The extensions work as instruments to obtain wallet credentials from input fields in their pop-up windows. The pilfered information is transmitted to remote servers controlled by the criminal group for exploitation in due course. Extensions also transmit victim IP addresses on startup for tracking.

This action is a follow-up to previous Foxy Wallet activity that identified 40 malicious extensions. The scope has now increased more than twice from the initial case. User reports confirm victims lost significant cryptocurrency value by using these fake wallet extensions over different intervals.

Multi-platform attack combines malware and scam websites

GreedyBear scam operates nearly 500 malicious Windows executables alongside their browser extension campaign. These programs spread through Russian websites that distribute cracked and pirated software to unsuspecting users. The malware collection spans multiple threat categories for maximum damage potential.

Credential stealers like LummaStealer target crypto wallet information stored on victim computers. Ransomware variants encrypt user files and demand cryptocurrency payments for decryption keys. Generic trojans provide backdoor access for additional payload delivery when needed.

The group also maintains an infrastructure of impersonator crypto service sites for data theft. The scam sites are legitimate-looking crypto services and are not typical phishing pages. Hardware wallets with the Jupiter brand also contain mockups of an interface that are falsified to trick potential purchasers into revealing payment details.

GreedyBear scam uses Firefox extensions to steal $1M in crypto: Koi Security
Fake wallet repair site: Source: Koi Security

Another example cited in the report was wallet repair websites that claim to repair damaged Trezor products for frustrated customers. The impersonator websites harvest wallet recovery words and private keys while posing as technical support. Some domains are active while others are dormant, awaiting targeted attacks in the future.

The variety of attack methods shows that the GreedyBear scam operates a broad distribution pipeline rather than focusing on a single technique. This diversified approach allows the group to shift tactics based on what works best. The reuse of infrastructure across different malware families confirms centralized coordination behind all campaign components.

Centralized server controls global theft operations

GreedyBear operates their entire criminal enterprise through a single IP address at 185.208.156.66. Almost all domains used across extensions, malware payloads, and phishing sites connect to this central server. This hub handles command-and-control communications, credential collection, ransomware coordination, and scam website hosting.

The centralized infrastructure allows attackers to streamline operations across multiple attack channels efficiently. Data from browser extensions, malware infections, and website victims all flows to the same collection point. This approach simplifies management while providing comprehensive intelligence on target victims.

Koi Security discovered the group has already begun expanding beyond Firefox browsers. A malicious Chrome extension called Filecoin Wallet used identical credential theft methods months ago. This Chrome extension communicated with domains hosted on the same 185.208.156.66 server infrastructure.

The connection confirms GreedyBear is testing operations across different browser ecosystems. Chrome, Edge, and other browsers will likely face similar extension campaigns in the coming months. The group’s willingness to experiment across platforms shows its commitment to scaling operations.

AI tools have helped accelerate the campaign’s growth and complexity according to code analysis. Generated artifacts in the malware suggest artificial intelligence assists with payload creation and scaling. This technology allows faster development cycles and better evasion of security detection systems across different platforms.

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.

免責聲明:本網站提供的資訊僅供教育和參考之用,不應視為財務或投資建議。

推薦文章

tradingkey.logo
* 參考、分析和交易策略由提供商Trading Central提供,觀點基於分析師的獨立評估和判斷,未考慮投資者的投資目標和財務狀況。
風險提示:我們的網站和行動應用程式僅提供關於某些投資產品的一般資訊。Finsights 不提供財務建議或對任何投資產品的推薦,且提供此類資訊不應被解釋為 Finsights 提供財務建議或推薦。
投資產品存在重大投資風險,包括可能損失投資的本金,且可能並不適合所有人。投資產品的過去表現並不代表其未來表現。
Finsights 可能允許第三方廣告商或關聯公司在我們的網站或行動應用程式的任何部分放置或投放廣告,並可能根據您與廣告的互動情況獲得報酬。
© 版權所有: FINSIGHTS MEDIA PTE. LTD. 版權所有