According to cybersecurity company KOI Security, the malicious campaign has won over $1 million in stolen cryptography using attack type triple-types via hundreds of browser extensions, websites and malware.
Koi security researcher Tuval Admoni said Thursday that a malicious group called “Greedybear” is “redefine industrial-scale crypto theft.”
“Most groups choose lanes. They run browser extensions, focus on ransomware, and run scam phishing sites. GreeDyBear said, “Why not all three?” And it worked spectacularly,” Admoni said.
Although the attack type that GreedyBear undertook was previously used, the report highlights Cybercriminals is rolling out various complex scams to target Crypto users.
Over 150 Fake Crypto Browser Extensions
More than $1 million reportedly were stolen from cryptocurrency users.
The group publishes over 150 malicious browser extensions to the Firefox browser marketplace, designed to spoof as popular crypto wallets such as Metamask, Tronlink, Exodus, and Rabby Wallet.
Malicious actors use the “extended hollow” technique, first creating a legal extension to bypass market checks and later malicious.
Admoni explained that the malicious extension captures wallet credentials directly from user input fields within the fake wallet interface.
“This approach allows GreeDyBear to bypass market security and weaponize established extensions already with user trust and positive ratings by appearing legal during the initial review process.”
Deddy Lavid, CEO of cybersecurity firm Cyvers, told Cointelegraph that the GreedyBear campaign “shoots that cybercriminals weaponize trusted users’ locations in their browser extension stores.
A malicious escape wallet expansion. Source: KOI Security
In early July, KOI Security identified 40 malicious Firefox extensions and suspected the Russian threat actors behind what is called the “Foxy Wallet” campaign.
Encrypted malware
The second arm of the group’s attack focused on crypto-themed malware, of which KOI Security discovered almost 500 samples.
Certified steelers like Lummastealer are specifically targeted at Crypto Wallet information, while ransomware variants such as Luca Stealer are designed to require crypto payments.
Most of the malware is distributed through Russian websites that provide cracked or pirated software, Admoni said.
Network of fraud websites
Trifecta’s third attack vector is a network of fake websites spoofed as cryptographic products and services.
“These are not typical phishing pages, they mimic the login portal. Instead, they appear as smooth, fake product landing pages advertising digital wallets, hardware devices, or wallet repair services,” Admoni said.
Related: North Korean hackers targeting crypto projects with rare MAC exploits
He said that one server will act as a central hub for command and control, credential collection, ransomware tuning, and fraudulent websites, allowing attackers to streamline operations across multiple channels.
A single IP address controls the campaign. Source: KOI Security
The campaign also allows for rapid scaling and diversification of cryptographic targeting attacks representing new evolutions in encrypted cybercrime, showing signs of AI-generated code.
“This is not a trend to go through — it’s new normal,” Admoni warned.
“These attacks exploit user expectations and bypass static defenses by injecting malicious logic directly into the wallet UI,” says Lavid.
magazine: The Philippines blocks big crypto exchanges and Coinbase scammers’ stash: Asia Express
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
