Cryptocurrency theft is on the rise, with a group of threat actors known as GreedyBear making headlines for their sophisticated and coordinated attacks. According to researchers, GreedyBear has managed to steal over $1 million through a combination of malicious browser extensions, malware, and scam websites.
The group’s approach, as described by Koi Security researcher Tuval Admoni, is unique in that it combines multiple attack methods into one large-scale operation. While most cybercriminal groups focus on a single type of attack, such as phishing or ransomware, GreedyBear has been able to carry out multiple attacks simultaneously on a massive scale.
A recent report by PeckShield revealed a significant increase in cryptocurrency crime in July, with bad actors making off with approximately $142 million in 17 major incidents. This highlights the growing threat posed by cybercriminals targeting the cryptocurrency industry.
GreedyBear’s current campaign has seen the deployment of more than 650 malicious tools targeting cryptocurrency wallet users. This marks a significant escalation from their previous “Foxy Wallet” campaign, which exposed 40 malicious Firefox extensions in July. The group uses a technique called “Extension Hollowing” to bypass marketplace checks and gain users’ trust before harvesting their credentials.
In addition to malicious browser extensions, researchers have identified nearly 500 malicious Windows executables tied to GreedyBear’s infrastructure. These files include various malware families, such as credential stealers, ransomware variants, and trojans acting as loaders for other payloads. The group distributes these malware samples through Russian-language websites that offer cracked or pirated software, allowing them to reach a wider audience.
GreedyBear also operates a network of scam websites that impersonate legitimate cryptocurrency products and services. These sites are designed to trick users into entering sensitive information, which the attackers then steal for fraudulent activities. Some of these domains are still active and harvesting data, while others are dormant but ready for future campaigns.
Interestingly, nearly all domains associated with GreedyBear resolve to a single IP address, indicating a central hub for the group’s operations. This server serves as the command-and-control center for credential collection, ransomware coordination, and hosting fraudulent websites. Researchers have also found “AI-generated artifacts” in the group’s code, suggesting that attackers are using advanced technology to scale their operations and evade detection.
As the threat of cryptocurrency theft continues to grow, it is essential for defenders to stay ahead of cybercriminals by using advanced security tools and intelligence. The rise of GreedyBear and other threat actors highlights the need for increased vigilance and proactive measures to protect against these sophisticated attacks.