A malignant campaign has spent more than $ 1 million in stolen crypto using a trifecta of attack types by way -road browser extensions, websites and malware, says cybersecurity firm Koi Security.
Koi Security Researcher Tuval Admoni Says On Thursday that the malicious group, which the company called “Greedybear,” was “redefining the industrial crypto robbery.”
“Most groups choose a line – maybe they make browser extensions, or they focus on ransomware, or they run scam phishing sites – Greedybear said, ‘Why not all three?’ And it worked.
Greedybear -conducted types have been used before, but the report has been highlighting that cybercriminals are now putting a set of complex scams to target crypto users, which Admoni said showing scammers to stop “thinking small.”
More than 150 fake crypto browser extensions
More than $ 1 million have been reported stolen from cryptocurrency users from more than 650 malicious tools that specifically target crypto wallet users, Admoni said.
The group has been published by more than 150 malicious Browser extensions In the Firefox Browser market, each is designed to introduce popular crypto wallets such as MetamaskTronlink, Exodus, and Rabby Wallet.
Malm actors use a “extension hollowing” technique, which first creates a legitimate extension to carapass market checks to eventually make them malicious.
Admoni explained that malignant extensions directly retrieve purse credentials from user -putting fields within fake purse interfaces.
“This method gives greedybear to miss market security by the emergence of legitimate during the initial evaluation process, then the weapon established extensions that have the user’s confidence and positive ratings.”
Deddy Lavid, CEO of Cybersecurity Firm Cyvers, told Cointelegraph that the Greedybear campaign “shows how cybercriminals
In early July, Koi Security recognized 40 Firefox’s malicious extensions, suspecting actors in Russia behind the so -called “Foxy Wallet” campaign.
Malware with Crypto theme
The second arm of the group attack is dedicated to the crypto-themed malware, where the Koi security has no cover of about 500 examples.
Credential thieves such as Lummastealer specifically target crypto wallet information, while ransomware variants Luca stealer is designed to request crypto payments.
Most malware is distributed by Russian websites that offer cracks or pirated software, Admoni said.
A network of scam websites
The third vector of attack on trifecta is a network of Fake websites Posing as crypto -associated products and services.
“These are unusual phishing pages that mimics -logging portals -instead, they appear as smooth, fake advertising digital wallets product pages, hardware devices, or purse repair services,” Admoni said.
Related: North Korean Hackers who target crypto projects with unusual exploitation of Mac
He said a server acts as a central hub for command-and-control, credentials collection, ransomware coordination, and scam websites, “allow attacks to streamline operations on multiple channels.”
The campaign also shows code signs generated by AI-Repeat, which enables rapid scaling and diversification of crypto target attacks, which represents a new cybercrime evolution-focused crypto.
“It’s not a passing pace – it’s the new normal,” Admoni warned.
“These attacks exploit the user’s expectations and bypass static defenses by injection of malicious logic directly to the purse’s UI,” Lavid said before adding, “it emphasizes the need for stronger browser vendors, developer transparency, and user -guard, and user -guard.”
Magazine: The Philippines prevents a large crypto exchange, Coinbase Scammer’s stash: Asia Express
