GreedyBear cyber attack overview

The GreedyBear cybercriminal operation has executed one of the largest cryptocurrency theft campaigns, stealing over $1 million using more than 650 malicious tools.

GreedyBear cyber attack overviewGreedyBear cyber attack overview

This sophisticated group employs an industrial-scale approach, utilizing over 150 weaponized Firefox extensions, nearly 500 malware executables, and numerous fraudulent websites. All operations are coordinated through a centralized command-and-control infrastructure linked to the IP address 185.208.156.66.

GreedyBear cyber attack overviewGreedyBear cyber attack overview

GreedyBear distinguishes itself by using artificial intelligence to rapidly produce diverse payloads that evade detection. They employ a technique called “Extension Hollowing,” creating legitimate publisher profiles before replacing their functionality with credential-harvesting code.

Targeting popular cryptocurrency wallets like MetaMask, these malicious extensions capture user credentials directly and collect external IP addresses for tracking. The standardized exfiltration routines suggest a centralized development process, enabling rapid scaling of their operations.