The cybercrime group known as GreedyBear has carried out an attack resulting in the theft of over $1 million in cryptocurrency. Specialists at Koi Security describe the methods used by this group as highly coordinated.
GreedyBear's Multifaceted Attack
Unlike most cybercriminals, who typically focus on a single tactic, GreedyBear uses three different methods of attack: fake browser extensions, malware, and scam websites. Koi Security researcher Tuval Admoni stated, "Most groups pick a lane — maybe they do browser extensions, or ransomware, or phishing sites. GreedyBear said, 'Why not all three?' And it worked. Spectacularly."
Attack Methods: Fake Extensions and Malware
GreedyBear has published over 150 fake crypto wallet browser extensions on the Firefox marketplace. These extensions mimic popular wallets like MetaMask and Exodus. Initially, they are harmless to pass Firefox’s review process. Once approved, criminals update them with malicious code to steal wallet passwords and private keys. The group has also distributed nearly 500 malware programs aimed at stealing cryptocurrency.
Establishment of Centralized Control and Consequences
All attacks trace back to a single server and IP address, which controls stolen information, facilitates ransomware requests, and hosts scam websites. Experts suspect that GreedyBear is employing AI-generated code to expedite the production of new attacks, making them harder to block. Cybersecurity experts warn that this might be the "new normal" in crypto theft.
The GreedyBear cybercrime group illustrates new dangers within the realm of cybersecurity related to cryptocurrency. Experts urge stricter security checks and caution from users.
