A Russian Hacking Group Is Using Fake Versions of MetaMask to Steal $1M in Crypto

The Russian hacking group GreedyBear has scaled up its operations in latest months, utilizing 150 “weaponized Firefox extensions” to focus on worldwide and English-speaking victims, in accordance with analysis from Koi Safety.

Publishing the outcomes of its analysis in a weblog, U.S. and Israel-based Koi reported that the group has “redefined industrial-scale crypto theft,” utilizing 150 weaponized Firefox extensions, near 500 malicious executables and “dozens” of phishing web sites to steal over $1 million inside the previous 5 weeks.

Chatting with Decrypt, Koi CTO Idan Dardikman mentioned that the Firefox marketing campaign is “by far” its most profitable assault vector, having “gained them a lot of the $1 million reported by itself.”

This specific ploy entails creating faux variations of broadly downloaded crypto wallets corresponding to MetaMask, Exodus, Rabby Pockets, and TronLink.



GreedyBear operatives use Extension Hollowing to bypass market safety measures, initially importing non-malicious variations of the extensions, earlier than updating the apps with malicious code.

In addition they submit faux critiques of the extensions, giving the misunderstanding of belief and reliability.

However as soon as downloaded, the malicious extensions steal pockets credentials, which in flip are used to steal crypto

Not solely has GreedyBear been in a position to steal $1 million in simply over a month utilizing this technique, however they’ve vastly ramped up the size of their operations, with a earlier marketing campaign–energetic between April and July of this 12 months–involving solely 40 extensions.

The group’s different main assault technique entails nearly 500 malicious Home windows executables, which it has added to Russian web sites that distribute pirated or repacked software program.

Such executables embrace credential stealers, ransomware software program and trojans, which Koi Safety suggests signifies“a broad malware distribution pipeline, able to shifting ways as wanted.”

The group has additionally created dozens of phishing web sites, which fake to supply professional crypto-related providers, corresponding to  digital wallets, {hardware} gadgets or pockets restore providers.

GreedyBear makes use of these web sites to coax potential victims into coming into private knowledge and pockets credentials, which it then makes use of to steal funds.

“It’s price mentioning that the Firefox marketing campaign focused extra international/English-speaking victims, whereas the malicious executables focused extra Russian-speaking victims,” explains Idan Dardikman, talking to Decrypt.

Regardless of the number of assault strategies and of targets, Koi additionally experiences that “nearly all” GreedyBear assault domains hyperlink again to a single IP handle: 185.208.156.66.

In keeping with the report, this handle features as a central hub for coordination and assortment, enabling GreedyBear hackers “to streamline operations.”

Dardikman saidthat a single IP handle “means tight centralized management” reasonably than a distributed community.

“This means organized cybercrime reasonably than state sponsorship–authorities operations usually use distributed infrastructure to keep away from single factors of failure,” he added. “Possible Russian felony teams working for revenue, not state route.”

Dardikman mentioned that GreedyBear is prone to proceed its operations and supplied a number of suggestions for avoiding their increasing attain.

“Solely set up extensions from verified builders with lengthy histories,” he mentioned, including that customers ought to at all times keep away from pirated software program websites.

He additionally advisable utilizing solely official pockets software program, and never browser extensions, though he suggested transferring away from software program wallets if you happen to’re a critical long-term investor.

He mentioned, “Use {hardware} wallets for important crypto holdings, however solely purchase from official producer web sites–GreedyBear creates faux {hardware} pockets websites to steal cost data and credentials.”