A Russian Hacking Group Is Using Fake Versions of MetaMask to Steal $1M in Crypto

The Russian hacking group GreedyBear has scaled up its operations in latest months, utilizing 150 “weaponized Firefox extensions” to focus on worldwide and English-speaking victims, in accordance with analysis from Koi Safety.

Publishing the outcomes of its analysis in a weblog, U.S. and Israel-based Koi reported that the group has “redefined industrial-scale crypto theft,” utilizing 150 weaponized Firefox extensions, near 500 malicious executables and “dozens” of phishing web sites to steal over $1 million inside the previous 5 weeks.

Chatting with Decrypt, Koi CTO Idan Dardikman stated that the Firefox marketing campaign is “by far” its most profitable assault vector, having “gained them a lot of the $1 million reported by itself.”

This specific ploy includes creating faux variations of extensively downloaded crypto wallets reminiscent of MetaMask, Exodus, Rabby Pockets, and TronLink.



GreedyBear operatives use Extension Hollowing to bypass market safety measures, initially importing non-malicious variations of the extensions, earlier than updating the apps with malicious code.

In addition they put up faux evaluations of the extensions, giving the misunderstanding of belief and reliability.

However as soon as downloaded, the malicious extensions steal pockets credentials, which in flip are used to steal crypto

Not solely has GreedyBear been in a position to steal $1 million in simply over a month utilizing this technique, however they’ve significantly ramped up the size of their operations, with a earlier marketing campaign–energetic between April and July of this yr–involving solely 40 extensions.

The group’s different major assault technique includes nearly 500 malicious Home windows executables, which it has added to Russian web sites that distribute pirated or repacked software program.

Such executables embrace credential stealers, ransomware software program and trojans, which Koi Safety suggests signifies“a broad malware distribution pipeline, able to shifting techniques as wanted.”

The group has additionally created dozens of phishing web sites, which faux to supply reputable crypto-related companies, reminiscent of  digital wallets, {hardware} gadgets or pockets restore companies.

GreedyBear makes use of these web sites to coax potential victims into coming into private information and pockets credentials, which it then makes use of to steal funds.

“It’s value mentioning that the Firefox marketing campaign focused extra international/English-speaking victims, whereas the malicious executables focused extra Russian-speaking victims,” explains Idan Dardikman, chatting with Decrypt.

Regardless of the number of assault strategies and of targets, Koi additionally studies that “nearly all” GreedyBear assault domains hyperlink again to a single IP tackle: 185.208.156.66.

In accordance with the report, this tackle capabilities as a central hub for coordination and assortment, enabling GreedyBear hackers “to streamline operations.”

Dardikman saidthat a single IP tackle “means tight centralized management” slightly than a distributed community.

“This means organized cybercrime slightly than state sponsorship–authorities operations sometimes use distributed infrastructure to keep away from single factors of failure,” he added. “Probably Russian legal teams working for revenue, not state course.”

Dardikman stated that GreedyBear is more likely to proceed its operations and provided a number of suggestions for avoiding their increasing attain.

“Solely set up extensions from verified builders with lengthy histories,” he stated, including that customers ought to all the time keep away from pirated software program websites.

He additionally beneficial utilizing solely official pockets software program, and never browser extensions, though he suggested shifting away from software program wallets in the event you’re a critical long-term investor.

He stated, “Use {hardware} wallets for important crypto holdings, however solely purchase from official producer web sites–GreedyBear creates faux {hardware} pockets websites to steal cost information and credentials.”