The Russian hacking group GreedyBear has significantly expanded its operations, targeting English-speaking victims with fake versions of popular crypto wallets, including MetaMask and others. Within five weeks, they have stolen over $1 million using 150 weaponized Firefox extensions and nearly 500 malicious executables distributed via pirated software. GreedyBear employs a method called Extension Hollowing to initially upload non-malicious versions of their extensions, which are later updated with malicious code. This tactic has been particularly effective, and the group has been able to create misleading positive reviews to gain user trust. The group also runs phishing websites to gather personal data and wallet credentials. Most attack domains linked back to a single IP address indicate a high level of organization. Koi Security recommends that users only install extensions from verified developers and be cautious of using pirated software, emphasizing the importance of hardware wallets for substantial crypto holdings, as GreedyBear also creates fake hardware wallet sites.

Source 🔗