Market News

Cybercrime Group GreedyBear Ramps Up $1M in Crypto Heist

Written By Jalpa Bhavsar Jalpa Bhavsar
Fact Checked by Divya Mistry Divya Mistry
Make The Crypto Times preferred on Google
Cybercrime Group GreedyBear Ramps Up $1M in Crypto Heist

A cybercrime group known as “GreedyBear,” has stolen over $1 million in cryptocurrency during a multi-faceted, large-scale attack, cybersecurity firm Koi Security discovered.

Unlike most cybercriminals, who focus on one tactic, GreedyBear attacks using three different vectors in tandem, making it an extremely coordinated crime.  These methods are fake browser wallet extensions, crypto-targeting malware, and scam websites.

According to Koi Security researcher Tuval Admoni, “Most groups pick a lane — maybe they do browser extensions, or ransomware, or phishing sites. GreedyBear said, ‘Why not all three?’ And it worked. Spectacularly.” Admoni said the group has used over 650 malicious tools aimed at crypto wallet users, stealing more than $1 million in the process.

Fake Wallet Extensions, Malware, and Scam Sites

The group has published over 150 fake crypto wallet browser extensions on the Firefox marketplace. These copy popular wallets like MetaMask, TronLink, Exodus, and Rabby Wallet

At first, the extensions are harmless to pass Firefox’s review process. Once approved and trusted by users, the criminals update them with malicious code to steal wallet passwords and private keys directly from the wallet interface.

GreedyBear has also distributed nearly 500 malware programs aimed at stealing cryptocurrency. They include password stealers such as LummaStealer that steal wallet information, and ransomware such as Luca Stealer that encrypts devices until victims make payments in crypto. Many of these malicious files are spread through Russian websites offering pirated or cracked software.

Their third part is a system of imitation crypto product websites. They are not only imitating login pages, but they are meant to resemble authentic landing pages for digital wallets, hardware devices, or wallet repair services. In actuality, they are decoys to capture sensitive data from unsuspecting visitors.

A Single Control Hub

All of these attacks are traced to a single server and IP address. It controls stolen information, facilitates ransomware requests, and carries scam websites. Experts also think that GreedyBear is employing AI-generated code to facilitate the production of new attacks at a faster rate, making them more difficult to block.

Cybersecurity experts warn this may be the “new normal” in crypto theft, urging stricter extension store security checks, more transparency from developers, and extra caution from users before installing extensions or downloading software.

Also Read: Aave Users Targeted by Scam Ads After $60B Record in Deposits

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article
Jalpa Bhavsar- Senior crypto journalist at The Crypto Times
By Jalpa Bhavsar
Follow:
Jalpa Bhavsar is a Crypto Journalist with 3 years of experience in crypto, blockchain, AI, digital design, and crypto news reporting. She holds a B.Tech in Computer Science, bringing a strong technical foundation to her writing. Jalpa focuses on delivering clear, accurate, and engaging coverage of the latest trends and developments in the crypto and tech space.
Divya Mistry
By Divya Mistry
Follow:
Divya Mistry is the Senior Editor at The Crypto Times. She leads the central editorial desk, overseeing the review and publication of policy analyses, investigative reports, exchange coverage, and protocol exploit stories. Her editorial remit spans digital asset markets, global exchange operations, cross-border digital asset settlements, regulatory developments, and other key developments shaping the cryptocurrency industry. Divya brings more than a decade of experience in editorial strategy, content development, public relations, marketing communications, and research. Before joining The Crypto Times, she worked across multiple sectors, including finance, technology, education, healthcare, real estate, entertainment, lifestyle, and vertical transport, contributing to both digital and print publications. Her research and content work has been featured on platforms including DNA India, Zee, Forbes, and Elevator World India. She holds a Master's degree in English Literature from the University of Mumbai. Drawing on her background in long-form publishing, research, and editorial leadership, she reviews and refines complex stories to ensure accuracy, clarity, and strong editorial standards before publication.

Latest News

Kalshi Faces $120,000 Daily Fine Under New Michigan Court Order
Kalshi Faces $120,000 Daily Fine Under New Michigan Court Order
Coinbase and Spiko Unlock 247 Stablecoin Access to European UCITS Funds
Coinbase and Spiko Unlock 24/7 Stablecoin Access to European UCITS Funds
Chinese Billionaire Guo Wengui Sentenced to 30 Years Over $1 Billion Fraud Scheme
Chinese Billionaire Guo Wengui Sentenced to 30 Years Over $1 Billion Fraud Scheme
Why Lighter (LIT) Surged 25% This Week Buybacks, $50M Trading Volume, & More
Why Lighter (LIT) Surged 25% This Week: Buybacks, $50M Trading Volume, & More
Cathie Wood's Ark Invest Buys COIN, CRCL, BLSH & HOOD Amid Crypto Stock Surge
Cathie Wood’s Ark Invest Buys COIN, CRCL, BLSH & HOOD Amid Crypto Stock Surge

Find Us on Socials

You may also like