The GreedyBear scam group has executed a massive operation targeting cryptocurrency users, employing 150 malicious Firefox extensions and 500 malware programs to steal over $1 million.
Firefox Extension Fraud Targets Cryptocurrency Wallets
GreedyBear launched over 150 malicious extensions on the Firefox store targeting cryptocurrency wallet users. These extensions mimic the interfaces of popular wallets such as MetaMask, TronLink, and Exodus to steal user credentials during login attempts.
The scammers initially create seemingly legitimate extensions with limited functionality to build trust amongst users. Once they establish a positive image, they completely rewrite these extensions, injecting harmful code while keeping the positive review history intact, making them more appealing to new users.
Multi-Platform Attack: Malware and Scam Websites
GreedyBear also operates nearly 500 malicious Windows executables that spread through Russian websites distributing cracked and pirated software. The malware includes credential stealers such as LummaStealer, targeting users' wallet data, as well as ransomware variants that encrypt files and require cryptocurrency for decryption keys. The group uses impersonator crypto service sites for data theft, creating sites that appear to be legitimate crypto services.
Centralized Server Controls Global Theft Operations
GreedyBear manages its entire criminal enterprise through a single IP address. All domains used across extensions, malware payloads, and phishing sites connect to this central server. This infrastructure simplifies managing operations and collecting data on victims. The group has already begun testing operations across other browsers, using similar credential theft methods. Code analysis indicates that artificial intelligence may facilitate the rapid growth and complexity of the campaign.
Data collected by Koi Security highlights the ongoing evolution of GreedyBear's fraudulent schemes, leveraging modern technology and social engineering to deceive cryptocurrency users.
