{"id":7189,"date":"2025-08-08T08:09:12","date_gmt":"2025-08-08T08:09:12","guid":{"rendered":"https:\/\/bitunikey.com\/news\/crypto-scam-group-greedybear-steals-over-1m-using-fake-extensions-and-malware\/"},"modified":"2025-08-08T08:09:23","modified_gmt":"2025-08-08T08:09:23","slug":"crypto-scam-group-greedybear-steals-over-1m-using-fake-extensions-and-malware","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/crypto-scam-group-greedybear-steals-over-1m-using-fake-extensions-and-malware\/","title":{"rendered":"Crypto scam group GreedyBear steals over $1m using fake extensions and malware"},"content":{"rendered":"<div class=\"post-detail__content blocks\">\n<p class=\"is-style-lead\">A group of cryptocurrency threat actors dubbed \u201cGreedyBear\u201d has stolen over $1 million in what researchers describe as an industrial-scale campaign spanning malicious browser extensions, malware, and scam websites.<\/p>\n<div id=\"cn-block-summary-block_505ce036861f223fbdc4718cd24677eb\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>GreedyBear has reportedly stolen over $1 million through malicious extensions, malware, and scam websites.<\/li>\n<li>More than 650 malicious tools targeting cryptocurrency wallet users were identified in the campaign.<\/li>\n<li>Researchers found signs of AI-generated code used to scale and diversify attacks.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>GreedyBear has \u201credefined industrial-scale crypto theft,\u201d according to Koi Security researcher Tuval Admoni, who <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blog.koi.security\/greedy-bear-massive-crypto-wallet-attack-spans-across-multiple-vectors-3e8628831a05\" target=\"_blank\">said<\/a> the group\u2019s approach blends multiple proven attack methods into one coordinated operation.<\/p>\n<p>While most cybercriminal outfits specialize in a single vector, such as phishing, ransomware, or fake extensions, GreedyBear has pursued all three simultaneously at a large scale.<\/p>\n<p>The findings come just days after blockchain security firm PeckShield reported a sharp rise in crypto crime in July, with bad actors stealing roughly $142 million across 17 major incidents.<\/p>\n<h2 class=\"wp-block-heading\">Malicious browser extensions<\/h2>\n<p>Koi Security\u2019s investigation found that GreedyBear\u2019s current campaign has already deployed more than 650 malicious tools targeting cryptocurrency wallet users.<\/p>\n<p>Admoni noted that this marks an escalation from the group\u2019s earlier \u201cFoxy Wallet\u201d campaign, which in July exposed 40 malicious Firefox extensions.\u00a0<\/p>\n<p>The group uses a technique Koi calls \u201cExtension Hollowing\u201d to bypass marketplace checks and gain user trust.\u00a0\u00a0<\/p>\n<p>Operators first publish innocuous-looking Firefox extensions \u2014 such as link sanitizers or video downloaders \u2014 under new publisher accounts. These are then padded with fake positive reviews before being converted into wallet-impersonating tools targeting MetaMask, TronLink, Exodus, and Rabby Wallet.\u00a0<\/p>\n<p>Once weaponized, the extensions harvest credentials directly from user input fields and transmit them to GreedyBear\u2019s command-and-control server.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<h2 class=\"wp-block-heading\">Crypto Malware<\/h2>\n<p>Beyond extensions, researchers found nearly 500 malicious Windows executables tied to the same infrastructure.\u00a0<\/p>\n<p>These files span multiple malware families, including credential stealers such as LummaStealer, ransomware variants resembling Luca Stealer, and generic trojans likely acting as loaders for other payloads.<\/p>\n<p>Koi Security noted that many of these samples appear in malware distribution pipelines hosted on Russian-language websites that offer cracked, pirated, or \u201crepacked\u201d software. This distribution method not only widens the group\u2019s reach to less security-conscious users but also allows them to seed infections beyond the crypto-native audience.<\/p>\n<p>Researchers also found malware samples that demonstrated modular capabilities, suggesting the operators can update payloads or swap functions without deploying entirely new malware.<\/p>\n<h2 class=\"wp-block-heading\">Scam crypto services<\/h2>\n<p>Running in parallel with these malware operations, GreedyBear maintains a network of scam websites that impersonate cryptocurrency products and services. These websites are designed to harvest sensitive information from unsuspecting users.<\/p>\n<p>Koi Security found fake landing pages advertising hardware wallets, and bogus wallet-repair services claiming to fix popular devices like Trezor. Other pages were found to be promoting fake digital wallets or crypto utilities, all with professional-grade design.<\/p>\n<figure class=\"wp-block-image is-resized\"><figcaption class=\"wp-element-caption\">Fake landing pages designed to trick victims | Source: Koi Security<\/figcaption><\/figure>\n<p>Unlike traditional phishing sites that mimic exchange login pages, these scams pose as product showcases or support services. Visitors are lured into entering wallet recovery phrases, private keys, payment information, or other sensitive data, which the attackers then exfiltrate for follow-on theft or credit card fraud.<\/p>\n<p>Koi\u2019s investigation found that some of these domains were still active and harvesting data, while others appeared dormant but ready for activation in future campaigns.<\/p>\n<h2 class=\"wp-block-heading\">A central node<\/h2>\n<p>Further, Koi found that nearly all domains connected to GreedyBear\u2019s extensions, malware, and scam websites resolve to a single IP address \u2014 185.208.156.66.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/bitunikey.com\/news\/wp-content\/uploads\/2025\/08\/1754640552_315_Crypto-scam-group-GreedyBear-steals-over-1m-using-fake-extensions.png\" alt=\"Crypto scam group GreedyBear steals over $1m using fake extensions and malware - 2\"><figcaption class=\"wp-element-caption\">Connection graph for 185.208.156.66 | Source: Koi Security<\/figcaption><\/figure>\n<p>This server functions as the operation\u2019s command-and-control hub, managing credential collection, ransomware coordination, and hosting for fraudulent websites. By consolidating operations on one infrastructure, the group is able to track victims, adjust payloads, and distribute stolen data with greater speed and efficiency.<\/p>\n<p>According to Admoni, there were also signs of \u201cAI-generated artifacts\u201d found within the campaign\u2019s code, which makes it \u201cfaster and easier than ever for attackers to scale operations, diversify payloads, and evade detection.\u201d<\/p>\n<p>\u201cThis isn\u2019t a passing trend \u2014 it\u2019s the new normal. As attackers arm themselves with increasingly capable AI, defenders must respond with equally advanced security tools and intelligence,\u201d Admoni said.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A group of cryptocurrency threat actors dubbed \u201cGreedyBear\u201d has stolen over $1 million in what researchers describe as an industrial-scale campaign spanning malicious browser extensions, malware, and scam websites. Summary&hellip;<\/p>\n","protected":false},"author":1,"featured_media":7190,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7189","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/7189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=7189"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/7189\/revisions"}],"predecessor-version":[{"id":7191,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/7189\/revisions\/7191"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/7190"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=7189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=7189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=7189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}