Russian hacker group GreedyBear recently stole over $1 million in cryptocurrency by forging MetaMask wallets

PANews reported on August 11 that according to Decrypt, Koi Security, based in the United States and Israel, reported that the Russian hacker group GreedyBear used 150 "weaponized Firefox extensions", nearly 500 malicious executable files and "dozens" of phishing websites to steal more than $1 million worth of cryptocurrency in the past five weeks.

Koi CTO Idan Dardikman stated that Firefox attacks were "by far" their most profitable attack vector, accounting for the majority of the $1 million in revenue. This particular tactic involved creating fake versions of widely downloaded crypto wallets such as MetaMask, Exodus, Rabby Wallet, and TronLink. The hackers used Extension Hollowing to bypass marketplace security measures by initially uploading a benign version of the extension and then updating the application with malicious code.

The group also posts fake reviews of extensions to create a false impression of trust and reliability. Once downloaded, the malicious extensions steal wallet credentials, which are then used to steal cryptocurrency. Another primary attack vector for the group involves the distribution of nearly 500 malicious Windows executables, which are added to Russian websites that distribute pirated or repackaged software. These executables include credential stealers, ransomware, and Trojans.