Cybersecurity agency Koi Safety uncovered the GreedyBear assault group’s subtle operation, using 150 weaponized Firefox extensions, practically 500 malicious executables, and dozens of phishing web sites to steal over $1 million in crypto.
The coordinated marketing campaign employed a novel “Extension Hollowing” approach to bypass market safety by constructing legitimate-seeming extension portfolios earlier than weaponizing them with malicious code.
Single Server Controls $1M+ Theft Operation
The assault group consolidated operations by a single server, controlling command infrastructure throughout browser extensions, malware payloads, and rip-off web sites.
GreedyBear developed from the beforehand recognized “Cunning Pockets” marketing campaign involving 40 malicious extensions. They now present huge scale and coordination in crypto-focused cybercrime operations.
The malicious Firefox extensions impersonated in style cryptocurrency wallets, together with MetaMask, TronLink, Exodus, and Rabby Pockets, whereas capturing credentials straight from consumer enter fields.
Almost 500 Home windows executables spanning a number of malware households focused victims by Russian web sites distributing cracked software program, whereas faux product touchdown pages marketed fraudulent {hardware} wallets and restore providers.
Safety researchers recognized clear indicators of AI-generated code artifacts all through the marketing campaign, enabling attackers to scale operations quickly and evade detection programs.
The infrastructure enlargement contains confirmed Chrome extension variants and suggests imminent cross-platform deployment to Edge and different browser ecosystems past Firefox.
Extension Hollowing Approach Bypasses Market Safety Via Belief Constructing
GreedyBear pioneered the Extension Hollowing methodology by creating writer accounts and importing 5-7 innocuous extensions, reminiscent of hyperlink sanitizers and YouTube downloaders, with no practical capabilities.
The attackers posted dozens of pretend optimistic critiques to construct credibility rankings earlier than weaponizing established extensions by altering names, icons, and injecting malicious code.
This strategy allowed bypassing market safety throughout preliminary critiques whereas sustaining optimistic rankings and consumer belief from the hollowed extension’s legit historical past.
The weaponized extensions transmitted sufferer IP addresses throughout initialization whereas capturing pockets credentials from pop-up interfaces and exfiltrating knowledge to distant servers.
The marketing campaign originated from the Cunning Pockets operation however developed past the preliminary 40 malicious extensions to over 150 weaponized Firefox add-ons.
Victims reported substantial losses as extensions maintained anticipated pockets performance whereas secretly transmitting credentials to attacker-controlled infrastructure.
Koi Safety confirmed connections to Chrome by a “Filecoin Pockets” extension speaking with the identical server.
The group’s systematic strategy to market manipulation and belief exploitation created sustainable distribution channels for credential theft operations, which OKX and Microsoft have warned about earlier this yr.
Multi-Platform Marketing campaign Coordinates Malware Distribution Via Centralized Infrastructure
The five hundred malicious Home windows executables encompassed a number of malware households. Distribution occurred by Russian web sites internet hosting cracked and pirated software program, concentrating on customers looking for free options to legit purposes.
Rip-off web sites masqueraded as Jupiter-branded {hardware} wallets with fabricated UI mockups and pockets restore providers claiming to repair Trezor gadgets.
The fraudulent touchdown pages collected private data, pockets credentials, and cost particulars by convincing product demonstrations and repair choices.
The centralized server infrastructure enabled streamlined operations throughout credential assortment, ransomware coordination, and phishing campaigns whereas sustaining operational safety.
All domains resolved to the one IP deal with, which creates a unified command-and-control system for the multi-vector assault marketing campaign.
The marketing campaign’s AI-assisted scaling capabilities enabled speedy payload diversification and detection evasion, which is beginning to seem like the brand new regular for crypto-focused cybercrime operations.
Legacy safety options face growing challenges as attackers leverage subtle automation instruments to speed up assault growth and deployment cycles.
Current large-scale incidents embody $1 million in YouTube account hijacking scams, $3.05 million phishing losses, and the $4.5 million CrediX exploit that was subsequently recovered by hacker negotiations.
Many consultants have criticized the present crypto safety panorama for enabling unethical actions, notably within the negotiation strategy.
Talking with Cryptonews, Circuit CEO Harry Donnelly criticized negotiation-based restoration strategies following current CrediX protocol fund returns, stating that “automated menace response ought to be normal to make sure belongings are stored out of hurt’s manner, moderately than hoping to discount with dangerous actors.”
He emphasised that “the CrediX restoration is a uncommon win in a system that too usually leaves customers with little recourse.”
This comes because the cumulative whole for the primary half of 2025 has hit $2.2 billion in losses by 344 incidents solely.
The submit GreedyBear Hackers Steal $1M+ in ‘Industrial Scale’ Crypto Theft Utilizing Multi-Vector Assault appeared first on Cryptonews.