Cybercrime Syndicate GreedyBear Strikes: $1M Crypto Heist Exposes DeFi Vulnerabilities

Another day, another crypto hack—GreedyBear just joined the million-dollar club. The shadowy cybercrime group siphoned seven figures from vulnerable DeFi protocols, proving once again that 'code is law' until someone rewrites it.

How they did it: Old tricks, new targets. No zero-day exploits here—just exploiting rushed smart contracts and lazy audits. The bear market didn’t slow them down; these hackers clearly took the 'buy low' mantra to heart.

The irony? Most of the stolen funds were supposedly 'risk-managed' by institutional-grade security. Nothing says 'hedge fund due diligence' like a blockchain explorer showing your assets vanishing in real time.

Wake-up call: If you’re still treating crypto security like a compliance checkbox, you’re basically donating to hacker retirement funds. The only thing decentralized about this heist was the blame game afterward.

Fake Wallet Extensions, Malware, and Scam Sites

The group has published over 150 fake crypto wallet browser extensions on the Firefox marketplace. These copy popular wallets like MetaMask, TronLink, Exodus, and Rabby Wallet. 

At first, the extensions are harmless to pass Firefox’s review process. Once approved and trusted by users, the criminals update them with malicious code to steal wallet passwords and private keys directly from the wallet interface.

GreedyBear has also distributed nearly 500 malware programs aimed at stealing cryptocurrency. They include password stealers such as LummaStealer that steal wallet information, and ransomware such as Luca Stealer that encrypts devices until victims make payments in crypto. Many of these malicious files are spread through Russian websites offering pirated or cracked software.

Their third part is a system of imitation crypto product websites. They are not only imitating login pages, but they are meant to resemble authentic landing pages for digital wallets, hardware devices, or wallet repair services. In actuality, they are decoys to capture sensitive data from unsuspecting visitors.

A Single Control Hub

All of these attacks are traced to a single server and IP address. It controls stolen information, facilitates ransomware requests, and carries scam websites. Experts also think that GreedyBear is employing AI-generated code to facilitate the production of new attacks at a faster rate, making them more difficult to block.

Cybersecurity experts warn this may be the “new normal” in crypto theft, urging stricter extension store security checks, more transparency from developers, and extra caution from users before installing extensions or downloading software.

Also Read: AAVE Users Targeted by Scam Ads After $60B Record in Deposits