Cybercriminals Tied to Russia Deploy Duplicitous MetaMask Versions for $1 Million Crypto Heist
Russian Hacking Group GreedyBear Steals Over $1 Million in Cryptocurrency
The cybersecurity firm Koi Security has reported that the Russian hacking group GreedyBear has redefined industrial-scale crypto theft, with over $1 million stolen within the past five weeks [1][2]. The group has scaled up its operations in recent months, using 150 weaponized Firefox extensions to target international and English-speaking victims [5].
These malicious browser extensions, built using the "Extension Hollowing" technique, bypass Firefox’s marketplace security [2]. GreedyBear initially builds legitimate-appearing extensions and later weaponizes them once they gain user trust, rather than trying to sneak malicious extensions past security reviews [2].
Once downloaded, the malicious extensions steal wallet credentials, which are used to steal cryptocurrency [1]. The group also creates fake versions of widely downloaded crypto wallets such as MetaMask, Exodus, Rabby Wallet, and TronLink [1].
In addition to browser campaigns, GreedyBear distributes nearly 500 malicious Windows programs (credential stealers, ransomware variants, trojans) through Russian sites offering cracked and pirated software [2][3][5].
GreedyBear also maintains infrastructure of impersonator crypto service websites, such as fake wallet repair sites, to harvest wallet recovery phrases and payment details [3][5]. They have created dozens of phishing websites, pretending to offer legitimate crypto-related services [3].
The group's activities are linked to a single IP acting as a command-and-control server, demonstrating a coordinated, managed attack operation [5]. Evidence suggests GreedyBear is expanding similar tactics to Google Chrome extensions [2][5].
To avoid GreedyBear's expanding reach, Idan Dardikman suggests that only installing extensions from verified developers with long histories is advisable [4]. He also recommends avoiding pirated software sites and using only official wallet software [4]. Dardikman advises using hardware wallets for significant crypto holdings, but only buying from official manufacturer websites to avoid fake hardware wallet sites created by GreedyBear [4].
Security experts emphasize the need for advanced, multi-layered defenses and caution when installing browser extensions or interacting with crypto wallet-related websites to mitigate exposure [1][2][4].
References:
[1] Koi Security. (2022). GreedyBear: A Russian Hacking Group Steals Over $1 Million in Cryptocurrency. Retrieved from https://www.koi-security.com/blog/greedybear-a-russian-hacking-group-steals-over-1-million-in-cryptocurrency/
[2] ZDNet. (2022). Russian hacking group GreedyBear uses over 150 malicious Firefox extensions to steal cryptocurrency. Retrieved from https://www.zdnet.com/article/russian-hacking-group-greedybear-uses-over-150-malicious-firefox-extensions-to-steal-cryptocurrency/
[3] BleepingComputer. (2022). GreedyBear Expands Cryptocurrency Theft Campaign Using Fake Wallet Repair Sites. Retrieved from https://www.bleepingcomputer.com/news/security/greedybear-expands-cryptocurrency-theft-campaign-using-fake-wallet-repair-sites/
[4] Cointelegraph. (2022). GreedyBear Hacking Group Steals Over $1 Million in Cryptocurrency. Retrieved from https://cointelegraph.com/news/greedybear-hacking-group-steals-over-1-million-in-cryptocurrency
[5] CyberScoop. (2022). GreedyBear is a Russian hacking group that has stolen over $1 million in cryptocurrency. Retrieved from https://www.cyberscoop.com/greedybear-russian-hacking-group-cryptocurrency-theft/
Read also:
- Health Risk Warning: The Harmful Effects of Sitting Too Much, Exploring Sedentary Lifestyles
- Competition heated up: Google Pixel 10 against Samsung Galaxy S25 - a pivotal moment for Google's smartphone dominance
- Advancement from Analog to Digital: A History of Audio Cassettes
- Moves and Changes in the Pro AV Industry: Mergers, Collaborations, and Personal Appointments
