A group of cryptocurrency threats actors called “Greedybear” has stolen more than $ 1 million in what researchers describe as an industrial-scale campaign that spans malicious browser content, malware and scam websites.
Summary
- Greedybear has reportedly stolen more than $ 1 million through malignant extensions, malware and scam websites.
- More than 650 malignant tools that focus on cryptocurrency portion were identified in the campaign.
- Researchers found signs of code generated by AI that were used to scale up and diversify attacks.
Greedybear has “re -defined theft on an industrial scale”, ald said The approach of the group combines several proven attack methods in one coordinated operation.
While most cyber criminal outfits are specialized in a single vector, such as phishing, ransomware or fake extensions, Greedybear has all pursued all three at the same time on a large scale.
The findings only reported a strong increase in crypto crime in July only a few days after Blockchain security company Peckshield reported in July, with bad actors stealing around $ 142 million for 17 major incidents.
Malignant browser extensions
The Koi Security study showed that the current Greedybear campaign has already deployed more than 650 malignant tools that focus on users of cryptocurrency wallet.
Admoni noted that this marks an escalation of the earlier “foxy wallet” campaign of the group, which exposed 40 malignant Firefox extensions in July.
The group uses a technique that Koi calls “Extension Hollows” to bypass market controls and gain user confidence.
Operators first publish harmless Firefox extensions-such as link sanitizers or video downloaders-under new publishing accounts. These are then filled with fake-positive assessments before they are converted into wallet imponering tools focused on metamask, Tronlink, Exodus and Rabby Wallet.
Once armed, the extensions harvest directly from user entry fields and send them to the Greedybear command-and-control server.
Crypto -Malware
In addition to extensions, researchers found nearly 500 malignant Windows -enforceable files linked to the same infrastructure.
These files include multiple malware families, including reference stealers such as LummaTealer, ransomware variants that look like Luca Stealer and generic trojans who probably act as chargers for other payloads.
Koi Security noted that many of these samples appear in malware distribution pipelines hosted on Russian websites that crack, offer illegal or “re -packaged” software. This distribution method not only broadens the reach of the group to less secure conscious users, but also enables them to sow infections outside the crypto-native audience.
Researchers also found malware monsters who demonstrated modular possibilities, suggesting that the operators can update payloads or exchange functions without implementing completely new malware.
SCAM Crypto Services
Parallel with these malware operations, GreedyBear maintains a network of scam websites that occur as cryptocurrency products and services. These websites are designed to harvest sensitive information from unsuspecting users.
Koi Security found fake landing pages advertisement Hardware portfolios and fake wallet-repair services that claimed to repair popular devices such as Trezor. Other pages were found to promote fake-digital portfolios or crypto utensils, all with a professional design.
In contrast to traditional phishing sites that simulate login pages, these scams are such as product vitrines or support services. Visitors are lured to enter the wallet recovery sentences, private keys, payment information or other sensitive data, which the attackers then exfiled for follow-on theft or credit card fraud.
Koi’s research showed that some of these domains were still active and harvest data, while others in future campaigns seemed sleeping but ready for activation.
A central junction
Furthermore, Koi discovered that almost all domains connected to the extensions, malware and scam websites of Greedybear are solved to one IP address – 185.208.156.66.
This server acts as the assignment-and-control hub of the operation, the management of reference collection, ransomware coordination and hosting for fraudulent websites. By consolidating operations on one infrastructure, the group can follow victims, adjust payloads and distribute stolen data with more speed and efficiency.
According to Admoni, signs of “AI -generated artifacts” were also found in the Code of the campaign, making it “faster and easier than ever for attackers to scale operations, diversify payloads and detect detection.”
“This is not a passing trend – it’s the new normal. While attackers arm themselves with always capable AI, defenders have to respond with equally advanced security tools and intelligence,” Admoni said.
