Koi Security, a cybersecurity company, reported that a malicious operation has stolen over $1 million in cryptocurrency through a triple attack method involving hundreds of browser extensions, websites, and malware.

Koi Security researcher Tuval Admoni stated on Thursday that the company has named this malicious group "GreedyBear," which has "redefined the industrial-level cryptocurrency theft model."

Admoni pointed out that most groups typically choose one method, focusing on either browser extensions, ransomware, or phishing fraud websites, while GreedyBear employs all three and has achieved significant results.

The attack methods implemented by GreedyBear are not new, but the report emphasizes that cybercriminals are now adopting various complex scams.

Admoni mentioned that over $1 million in cryptocurrency has been stolen, with victims being cryptocurrency users targeted by more than 650 types of malicious tools specifically aimed at cryptocurrency wallet users.

The group has released over 150 malicious extensions in the Firefox browser market, all disguised as mainstream cryptocurrency wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.

These malicious actors have employed "Extension Hollowing" techniques, first creating legitimate extensions to bypass market reviews, and then transforming them into malicious extensions.

Admoni explained that these malicious extensions directly steal credentials from the user input fields on fake wallet interfaces.

Deddy Lavid, CEO of cybersecurity company Cyvers, told Cointelegraph that the GreedyBear activity "demonstrates how cybercriminals exploit users' trust in browser extension stores. They clone popular wallet plugins, exaggerate reviews, and then quietly replace them with malware that steals credentials."

In early July, Koi Security discovered 40 malicious Firefox extensions suspected to be part of a so-called "Foxy Wallet" operation by Russian threat actors.

The second aspect of the group's attacks focuses on cryptocurrency-themed malware, with Koi Security identifying nearly 500 samples.

Credential stealers like LummaStealer specifically target cryptocurrency wallet information, while ransomware variants like Luca Stealer are designed to demand cryptocurrency payments.

Most malware is distributed through Russian websites offering cracked or pirated software, Admoni stated.

The third attack vector in the triple attack involves a set of fake websites for counterfeit cryptocurrency-related products and services.

Admoni noted that these are not typical phishing pages masquerading as login portals, but rather well-designed fake product pages disguised as digital wallets, hardware devices, or wallet recovery services.

A single server simultaneously handles command and control, credential collection, ransomware coordination, and the core functions of scam websites, allowing attackers to operate efficiently across multiple channels.

The activity has also shown signs of AI-generated code, enabling attackers to quickly expand and diversify their cryptocurrency attack methods, marking a new phase in cryptocurrency-focused cybercrime.

Admoni warned, "This is not a temporary trend—it's the new normal."

Lavid stated that these attacks bypass static defenses by directly injecting malicious logic into the wallet user interface, exploiting users' operational expectations. He added that this highlights the importance of browser vendors strengthening reviews, developers increasing transparency, and users remaining vigilant.

Related: SEC staff guidance on liquid staking leaves regulatory questions, may face controversy

Original: “GreedyBear Scam Group Upgrades Cryptocurrency Theft Methods, Reaching 'Industrial' Scale”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。