Ranking
Categories
Historical Snapshots
Token unlocks
Yield
Real-World Assets
Trending
Upcoming
Recently Added
Gainers & Losers
Most Visited
Community Sentiment
Chain Ranking
Overall NFT Stats
Upcoming Sales
Market Overview
Spot Market
No. of Cryptocurrencies
Bitcoin Treasuries
BNB Treasuries
Fear and Greed Index
Altcoin Season Index
Market Cycle Indicators
Bitcoin Dominance
CoinMarketCap 20 Index
CoinMarketCap 100 Index
Crypto ETFs
Bitcoin ETFs
Ethereum ETFs
RSI
MACD
Overview
Liquidations
Funding Rates
Signals
Trending
New
Gainers
Meme Explorer
Top Traders
Spot
Derivatives
Spot
Derivatives
Feeds
Topics
Lives
Articles
Converter
Newsletter
CMC Launch
CMC Labs
Telegram Bot
Advertise
Crypto API
Site Widgets
Airdrops
Diamond Rewards
Learn & Earn
ICO Calendar
Events Calendar
News
Academy
Research
Videos
Glossary
GreedyBear hackers stole $ 1 million in a "massive" cryptocurrency
- The attack group operated through a single server, controlling the command and control infrastructure through browser extensions, malware and fraudulent websites.
GreedyBear grew out of the previously identified Foxy Wallet campaign, which included 40 malicious extensions. Now they reveal the sheer scale and coordination of #cryptocurrency cybercrime.
The malicious Firefox extensions masqueraded as popular cryptocurrency wallets, including MetaMask, TronLink, #Exodus and Rabby Wallet, capturing credentials directly from user input fields.
Security researchers found obvious signs of artificial intelligence-generated code artifacts, giving attackers the ability to rapidly scale operations and bypass detection systems.
The infrastructure extension includes validated variants of Chrome extensions and is expected to soon be cross-platform deployed to Edge and other browser ecosystems beyond Firefox.
GreedyBear pioneered the Extension Hollowing methodology by creating developer accounts and downloading 5-7 innocuous extensions, such as #link cleaners and YouTube downloaders, without any functionality.
The attackers posted dozens of fake positive reviews to create a trust rating and then used existing extensions by changing their names, icons, and injecting malicious code.
This approach bypassed the marketplace's defenses during initial testing, preserving positive ratings and user trust in the extension's legitimate history.
Malicious extensions transferred victims' IP addresses during initialization, intercepted wallet credentials via pop-up windows, and sent data to remote servers.
