A Russian Hacking Group Is Using Fake Versions of MetaMask to Steal $1M in Crypto

The Greedybear Russian hackling group has increased its business in recent months, using 150 “arranged Firefox extensions” to target international and English victims, according to KOI Security research.

Publishing the results of your research in blog, the US and Israel Koi reported That the group “redefined the stealing of the crypt in the industry”, using 150 weapons of Firefox extensions, close to 500 malicious executive files and “dozens” of identity stealing websites to stole over $ 1 million in the last five weeks.

Speaking DecipherKoi Cto Idan Dardikman said the Firefox campaign “far” is the most lucrative vector of the attack, “gained a majority of $ 1 million that he reported himself.”

This special plate includes the creation of false versions widely taken over with a crypto wallet such as metamask, exodus, Rabby Wallet and Tronlink.

Grelepybear operatives use the extension of the hollow to bypass the market safety measures, initially transferring non-zlonasic versions of the extension, before updating the applications by malicious code.

They also publish false examinations, giving a false impression of trust and reliability.

But once taken over, malicious extensions steal the credentials of the wallet, which in turn are used to theft of cryptocurrencies

Not only could Greedybear steal a million dollars in just over a month using this method, but they greatly increased the scale of their business, with the previous campaign –active between April and July this year– Introducing only 40 extensions.

The second method of the primary attack of the group includes nearly 500 malicious Windows executive files, which she added to the Russian websites that distribute pirate or repacked software.

Such executive files include stolen credentials, Ransomware and Trojan S

The group also created dozens of identity theft websites, which are pretended to offer legitimate crypto services, such as digital wallets, hardware devices, or a resort to a wallet repair.

Greedybear uses these websites to persuade potential victims in the entry of credentials for personal information and wallet, which he then uses for theft of funds.

“It is worth noting that the Firefox campaign targeted in more world/English speech, while the malicious executive table targets several victims of Russian speech,” explains Idan Dardikman, saying Decipher.

Despite the variety of attacks and goals, which also reports that “almost all” domain of greedy attacks are linked to one IP address: 185.208.156.66.

According to the report, this address functions as the central center for coordination and collection, allowing greedy hackers to simplify operations. “

Dardikman said one IP address “means tight centralized control” and not a distributed network.

“This suggests an organized cyber -criminal, not state sponsorships – government operations usually use distributed infrastructure to avoid individual failure points,” he added. “Probably Russian criminal groups operating for profit, not in the state direction.”

Dardikman said Gedybear would probably continue to work and offered several tips to avoid their growing reach.

“Install only the extensions of proven programs with long history,” he said, adding that users should always avoid pirate software pages.

He also recommended the use of only a wallet software, not the browser extensions, although he advised you to move away from software wallets if you are a serious long -term investor.

He said: “Use hardware wallets for significant crypto possessions, but only buy on the official website of the manufacturer – Greedybear creates a fake website with hardware to steal payment data and credentials.”