Simply put
- In the past five weeks, the Russian hacking group GreedyBear has ramped up its operations, reportedly stealing around $1 million.
- KOI Security highlighted that this group is “redefining industrial-scale crypto theft” through the use of 150 compromised Firefox extensions.
- They’re creating counterfeit versions of popular crypto wallets like Metamask, Exodus, Laby Wallet, and Tronlink.
According to KOI Security, GreedyBear has been expanding its reach lately, particularly targeting international and English-speaking individuals with these “weaponized Firefox extensions.”
The findings of this study, shared by Koi, indicate that the group has redefined large-scale crypto theft, employing nearly 500 malicious executables and numerous phishing sites to steal over $1 million within a short timeframe.
Idan Dardikman, the CTO at KOI, remarked that the Firefox attack vector appears to be the most lucrative one, a significant portion of the reported $1 million came from this method.
This method leverages fake versions of widely used crypto wallets, like Metamask and others.
GreedyBear operatives initially upload non-malicious versions of their extensions to bypass security measures and later update them with harmful code.
They also fabricate reviews of their extensions, creating an illusion of credibility and reliability.
Unfortunately, once these malicious extensions are installed, they start stealing wallet credentials.
GreedyBear has evidently managed to pilfer about $1 million over the last month. This method has notably expanded their operations compared to previous campaigns, where they used only 40 extensions.
Other major tactics include around 500 harmful Windows executables distributed on Russian sites that share repackaged or pirated software.
These executables can contain stolen credentials or ransomware, suggesting that KOI represents a broad pipeline for malware, allowing a shift in tactics as necessary.
The group has also set up numerous phishing websites masquerading as legitimate crypto services like digital wallets and repair services.
Through these websites, they lure potential victims into submitting personal information and wallet credentials, which are then used for theft.
Dardikman pointed out that while the Firefox campaign aims at English-speaking victims, the harmful executables primarily target Russian speakers.
Interestingly, KOI found that nearly all domain names associated with these attacks connect back to a single IP address, highlighting a centralized operation rather than a distributed network.
This centralization suggests organized crime rather than a state-sponsored initiative. Dardikman noted, “Usually, government operations leverage distributed setups to avoid single points of failure.”
Looking ahead, it’s likely that GreedyBear will persist in its activities. To mitigate risks, Dardikman advised users to only install extensions from developers with a proven track record and to avoid pirated software.
He also emphasized the importance of relying solely on official wallet software and abstaining from browser extensions for significant crypto holdings.
Finally, he mentioned that using hardware wallets from official sources is crucial, as GreedyBear creates counterfeit wallets to capture payment details.
