Cybercriminals Tied to Russia Deploy Duplicitous MetaMask Versions for $1 Million Crypto Heist

Cybercriminals Tied to Russia Deploy Duplicitous MetaMask Versions for $1 Million Crypto Heist

Russian Hacking Group GreedyBear Steals Over $1 Million in Cryptocurrency

The cybersecurity firm Koi Security has reported that the Russian hacking group GreedyBear has redefined industrial-scale crypto theft, with over $1 million stolen within the past five weeks [1][2]. The group has scaled up its operations in recent months, using 150 weaponized Firefox extensions to target international and English-speaking victims [5].

These malicious browser extensions, built using the "Extension Hollowing" technique, bypass Firefox’s marketplace security [2]. GreedyBear initially builds legitimate-appearing extensions and later weaponizes them once they gain user trust, rather than trying to sneak malicious extensions past security reviews [2].

Once downloaded, the malicious extensions steal wallet credentials, which are used to steal cryptocurrency [1]. The group also creates fake versions of widely downloaded crypto wallets such as MetaMask, Exodus, Rabby Wallet, and TronLink [1].

In addition to browser campaigns, GreedyBear distributes nearly 500 malicious Windows programs (credential stealers, ransomware variants, trojans) through Russian sites offering cracked and pirated software [2][3][5].

GreedyBear also maintains infrastructure of impersonator crypto service websites, such as fake wallet repair sites, to harvest wallet recovery phrases and payment details [3][5]. They have created dozens of phishing websites, pretending to offer legitimate crypto-related services [3].

The group's activities are linked to a single IP acting as a command-and-control server, demonstrating a coordinated, managed attack operation [5]. Evidence suggests GreedyBear is expanding similar tactics to Google Chrome extensions [2][5].

To avoid GreedyBear's expanding reach, Idan Dardikman suggests that only installing extensions from verified developers with long histories is advisable [4]. He also recommends avoiding pirated software sites and using only official wallet software [4]. Dardikman advises using hardware wallets for significant crypto holdings, but only buying from official manufacturer websites to avoid fake hardware wallet sites created by GreedyBear [4].

Security experts emphasize the need for advanced, multi-layered defenses and caution when installing browser extensions or interacting with crypto wallet-related websites to mitigate exposure [1][2][4].

References:

[1] Koi Security. (2022). GreedyBear: A Russian Hacking Group Steals Over $1 Million in Cryptocurrency. Retrieved from https://www.koi-security.com/blog/greedybear-a-russian-hacking-group-steals-over-1-million-in-cryptocurrency/

[2] ZDNet. (2022). Russian hacking group GreedyBear uses over 150 malicious Firefox extensions to steal cryptocurrency. Retrieved from https://www.zdnet.com/article/russian-hacking-group-greedybear-uses-over-150-malicious-firefox-extensions-to-steal-cryptocurrency/

[3] BleepingComputer. (2022). GreedyBear Expands Cryptocurrency Theft Campaign Using Fake Wallet Repair Sites. Retrieved from https://www.bleepingcomputer.com/news/security/greedybear-expands-cryptocurrency-theft-campaign-using-fake-wallet-repair-sites/

[4] Cointelegraph. (2022). GreedyBear Hacking Group Steals Over $1 Million in Cryptocurrency. Retrieved from https://cointelegraph.com/news/greedybear-hacking-group-steals-over-1-million-in-cryptocurrency

[5] CyberScoop. (2022). GreedyBear is a Russian hacking group that has stolen over $1 million in cryptocurrency. Retrieved from https://www.cyberscoop.com/greedybear-russian-hacking-group-cryptocurrency-theft/

1. The stolen cryptocurrency includes Ethereum (ETH) and Bitcoin, as well as various tokens from decentralized exchanges (DEX) and Initial Coin Offerings (ICO) within the names like MetaMask, Exodus, Rabby Wallet, TronLink, and others.
2. GreedyBear has been using malicious Firefox extensions built using the "Extension Hollowing" technique, bypassing Firefox's marketplace security, to steal wallet credentials and crypto assets.
3. The group also creates fake versions of popular crypto wallets and sets up phishing websites, impersonating decentralized exchange (defi) platforms, to harvest user wallet recovery phrases and payment details.
4. To mitigate potential cybersecurity threats, security experts advises users to only install extensions from verified developers with long histories and avoid pirated software sites.
5. The team should also use official wallet software and hardware wallets for significant crypto holdings, purchasing them only from official manufacturer websites to avoid counterfeit sites created by GreedyBear.
6. In addition to browser campaigns, GreedyBear distributes malicious Windows programs through Russian sites offering cracked and pirated software.
7. The group's activities are linked to a single IP acting as a command-and-control server, demonstrating a coordinated, managed attack operation.
8. Evidence suggests that the group is expanding similar tactics to Google Chrome extensions, posing a threat to the general-news and crypto communities, while also attracting attention from crime-and-justice sectors.

Read also: