Intensified Cyber Operations by GreedyBear
Recent investigations by Koi Security reveal that the notorious hacking collective known as GreedyBear has significantly intensified its cyber operations, deploying 150 counterfeit Firefox extensions aimed at English-speaking internet users. This tactic has allowed them to amass over $1 million in cryptocurrency theft in a mere five weeks. According to Koi Security, which conducted the research and shared findings in a blog post, the group’s new strategies have transformed the scope of crypto-related cybercrime.
Modus Operandi of GreedyBear
Idan Dardikman, Koi’s Chief Technology Officer, noted to Decrypt that the current campaign targeting Firefox users stands out as the group’s most successful, generating the bulk of the reported $1 million. GreedyBear’s modus operandi includes the creation of deceptive replicas of popular crypto wallet extensions, such as MetaMask, Exodus, Rabby Wallet, and TronLink. By first uploading harmless versions of these extensions to online marketplaces, they exploit a technique known as Extension Hollowing to later inject malicious code, thereby compromising the users’ wallet credentials once the extensions are activated.
To maintain a facade of credibility, GreedyBear also fabricates positive reviews for these extensions. Beyond Firefox, the group deploys nearly 500 malicious executables disguised as legitimate software on Russian websites that provide pirated downloads. These executables, which feature various types of malware including ransomware and Trojan horses, signify a sophisticated pipeline for distributing malware, adaptable to changing strategies as necessary.
Phishing and Target Demographics
In addition to these executables, the group has set up numerous phishing websites that masquerade as authentic crypto services, such as digital wallet providers or hardware device sellers. These sites lure unwary victims into divulging their personal information and wallet access details, thus facilitating further theft.
Dardikman elucidated that while the Firefox-derived attack primarily focuses on a global audience, especially in English-speaking regions, the malicious executables target a predominantly Russian-speaking demographic. Notably, Koi Security has traced almost all associated GreedyBear domains back to a singular IP address—185.208.156.66—which serves as a central point for their operations, suggesting a high level of organizational structure and coordination.
Advice for Users
Dardikman pointed out that the reliance on this single IP address indicates a centralized rather than decentralized network, implying that the group operates independently for profit rather than under state sponsorship. As GreedyBear is anticipated to persist in its malicious activities, Dardikman offers crucial advice for users to safeguard themselves:
- Download extensions solely from reputable developers with established track records.
- Avoid pirated software.
- Use officially sanctioned wallet software rather than browser extensions.
- For those holding significant crypto assets long-term, transition to hardware wallets—obtained directly from legitimate manufacturers.
GreedyBear has been known to create counterfeit sites to obtain payment information and credentials, making these precautions essential for users.
