{"id":41381,"date":"2025-08-10T13:31:44","date_gmt":"2025-08-10T13:31:44","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=41381"},"modified":"2025-08-10T13:31:44","modified_gmt":"2025-08-10T13:31:44","slug":"crypto-thieves-dubbed-greedybear-run-industrial-scale-scam-details","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=41381","title":{"rendered":"Crypto Thieves Dubbed \u2018GreedyBear\u2019 Run Industrial-Scale Scam \u2013 Details"},"content":{"rendered":"
\n

A cybercrime group called \u201cGreedyBear<\/a>\u201d has been accused of stealing over $1 million through what researchers say is one of the most wide-reaching crypto theft operations seen in months.<\/p>\n

Reports from Koi Security reveal the group is running a coordinated campaign that mixes malicious browser extensions, malware, and scam websites \u2014 all under one network.<\/p>\n

Extensions Turned Into Wallet-Stealing Tools<\/h2>\n

Instead of focusing on just one method, GreedyBear has combined several. According to Koi Security researcher Tuval Admoni, the group has deployed more than 650 malicious tools<\/a> in its latest push.<\/p>\n

This marks a sharp rise from its earlier \u201cFoxy Wallet\u201d operation in July, which involved 40 Firefox extensions.<\/p>\n

\"\"<\/p>\n

The group\u2019s tactic, called \u201cExtension Hollowing,\u201d starts with publishing clean-looking Firefox add-ons<\/a> such as video downloaders or link cleaners.<\/p>\n

These extensions, released under fresh publisher accounts, collect fake positive reviews to appear trustworthy. Later, they are swapped for malicious versions impersonating wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.<\/p>\n

Once installed, they grab credentials from input fields and send them to GreedyBear\u2019s control servers.<\/p>\n

\"\"<\/p>\n

Malware Hidden In Pirated Software<\/h2>\n

Investigators have also tied nearly 500 malicious Windows files to the same group. Many of these belong to well-known malware families such as LummaStealer, ransomware similar to Luca Stealer, and trojans acting as loaders for other harmful programs.<\/p>\n

Distribution frequently occurs through Russian-language websites that host cracked or \u201crepacked\u201d software. Targeting those seeking free software, the attackers reach far beyond the crypto community.<\/p>\n

Modular malware was also found by Koi Security, in which operators can add or swap functions without deploying completely new files.<\/p>\n


\nFake Crypto Services Created To Swipe Data<\/p>\n

Based on reports<\/a>, in addition to the browser attacks and malware, GreedyBear has established fraudulent websites that fake themselves as genuine cryptocurrency solutions.<\/p>\n

Some of these are said to offer hardware wallets, and others are fake wallet repair services for devices such as Trezor.<\/p>\n

Also on offer are fake wallet apps with good-looking designs that trick users into inputting recovery phrases, private keys, and payment information.<\/p>\n

Unlike standard phishing sites that copy exchange login pages, these scam pages look more like product or support portals.<\/p>\n

Reports added that some of them remain active and are still collecting sensitive data, while others are on standby for future use.<\/p>\n

Investigators found that nearly all domains tied to these operations lead back to a single IP address \u2014 185.208.156.66. This server acts as the campaign\u2019s hub, handling stolen credentials, coordinating ransomware activity, and hosting scam sites.<\/p>\n

Featured image from Unsplash, chart from TradingView<\/em><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A cybercrime group called \u201cGreedyBear\u201d has been accused of stealing over $1 million through what researchers say is one of the most wide-reaching crypto theft operations seen in months. Reports from Koi Security reveal the group is running a coordinated campaign that mixes malicious browser extensions, malware, and scam websites \u2014 all under one network. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-41381","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/41381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=41381"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/41381\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=41381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=41381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=41381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}