$1M Stolen in 'Industrial-Scale Crypto Theft' Using AI-Generated Code 38
"What happens when cybercriminals stop thinking small and start thinking like a Fortune 500 company?" asks a blog post from Koi Security. "You get GreedyBear, the attack group that just redefined industrial-scale crypto theft."
"150 weaponized Firefox extensions [impersonating popular cryptocurrency wallets like MetaMask and TronLink]. Nearly 500 malicious executables. Dozens of phishing websites. One coordinated attack infrastructure. According to user reports, over $1 million stolen." They upload 5-7 innocuous-looking extensions like link sanitizers, YouTube downloaders, and other common utilities with no actual functionality... They post dozens of fake positive reviews for these generic extensions to build credibility. After establishing trust, they "hollow out" the extensions — changing names, icons, and injecting malicious code while keeping the positive review history. This approach allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review process, then weaponizing established extensions that already have user trust and positive ratings. The weaponized extensions captures wallet credentials directly from user input fields within the extension's own popup interface, and exfiltrate them to a remote server controlled by the group...
Alongside malware and extensions, the threat group has also launched a network of scam websites posing as crypto-related products and services. These aren't typical phishing pages mimicking login portals — instead, they appear as slick, fake product landing pages advertising digital wallets, hardware devices, or wallet repair services... While these sites vary in design, their purpose appears to be the same: to deceive users into entering personal information, wallet credentials, or payment details — possibly resulting in credential theft, credit card fraud, or both. Some of these domains are active and fully functional, while others may be staged for future activation or targeted scams...
A striking aspect of the campaign is its infrastructure consolidation: Almost all domains — across extensions, EXE payloads, and phishing sites — resolve to a single IP address: 185.208.156.66 — this server acts as a central hub for command-and-control, credential collection, ransomware coordination, and scam websites, allowing the attackers to streamline operations across multiple channels... Our analysis of the campaign's code shows clear signs of AI-generated artifacts. This makes it faster and easier than ever for attackers to scale operations, diversify payloads, and evade detection.
This isn't a passing trend — it's the new normal.
The researchers believe the group "is likely testing or preparing parallel operations in other marketplaces."
"150 weaponized Firefox extensions [impersonating popular cryptocurrency wallets like MetaMask and TronLink]. Nearly 500 malicious executables. Dozens of phishing websites. One coordinated attack infrastructure. According to user reports, over $1 million stolen." They upload 5-7 innocuous-looking extensions like link sanitizers, YouTube downloaders, and other common utilities with no actual functionality... They post dozens of fake positive reviews for these generic extensions to build credibility. After establishing trust, they "hollow out" the extensions — changing names, icons, and injecting malicious code while keeping the positive review history. This approach allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review process, then weaponizing established extensions that already have user trust and positive ratings. The weaponized extensions captures wallet credentials directly from user input fields within the extension's own popup interface, and exfiltrate them to a remote server controlled by the group...
Alongside malware and extensions, the threat group has also launched a network of scam websites posing as crypto-related products and services. These aren't typical phishing pages mimicking login portals — instead, they appear as slick, fake product landing pages advertising digital wallets, hardware devices, or wallet repair services... While these sites vary in design, their purpose appears to be the same: to deceive users into entering personal information, wallet credentials, or payment details — possibly resulting in credential theft, credit card fraud, or both. Some of these domains are active and fully functional, while others may be staged for future activation or targeted scams...
A striking aspect of the campaign is its infrastructure consolidation: Almost all domains — across extensions, EXE payloads, and phishing sites — resolve to a single IP address: 185.208.156.66 — this server acts as a central hub for command-and-control, credential collection, ransomware coordination, and scam websites, allowing the attackers to streamline operations across multiple channels... Our analysis of the campaign's code shows clear signs of AI-generated artifacts. This makes it faster and easier than ever for attackers to scale operations, diversify payloads, and evade detection.
This isn't a passing trend — it's the new normal.
The researchers believe the group "is likely testing or preparing parallel operations in other marketplaces."
This isn't a passing trend — it's the new no (Score:2)
Want to murder myself whenever I see this AI watermark sentence structure.
It's not just cringey -- it's a character I can't even type — — — — — —
Re: (Score:3)
I have them on my keyboard. I use them in documents and email.
mykeyboard.xkb:
key {
symbols[Group1]= [ minus, underscore, endash, emdash ],
My X11 initialization script does: :0.0
xkbcomp ~/mykeyboard.xkb
Re: (Score:2)
ctrl-shift-u 2014 enter
—
You mileage may vary, this works on ubuntu. Lets you enter any unicode char
Re:This isn't a passing trend — it's the new (Score:2)
Text can have all sorts of characters that you normally can't type directly on the keyboard. Many text editors will use autocorrect or autoformat to substitute typed characters with typographical characters like curly quotes or m-dashes.
Type " on many iPhones and you get “ or ”
Type -- using some text editors and get —
Type n~ or e' and some text editors will replace with ñ and é
Just because an article contains a character that you normally don't use doesn't make it an AI gene
Re: (Score:2)
On a Mac with the US keyboard layout, em dash is Option-Shift-hyphen and has been for over thirty years now.. Word/Outlook/etc. automatically replace two consecutive hyphens with an em dash. On Samsung and Apple phones, you can get an em dash by long pressing on the hyphen.
Wow!! (Score:4, Funny)
$1M? Wow!!!
It turns out that AI is good for something after all. Who knew?
Re: (Score:3, Funny)
I hope the thieves paid $2m to get that $1m.
Re: (Score:2)
We did through electricity rate increases.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm kicking myself for dismissing crypto(currency) as a scam in 2011 when that's all that's left now.
Anyone holding like 100+ BTC should try to buy gold options with it and take physical delivery. That's what I'd do.
Re: (Score:2)
US gold ownership restrictions? Really? Re:Wow!! (Score:1)
Keep in mind that in the US, the amount of gold you own can be restricted
As far as I know, there are no current quantity limits on gold ownership in the United States. There were heavy restrictions from the depression through the 1970s (Exective Order 6102 [wikipedia.org] and references therein. If I'm wrong, please reply and include good sources to back the claim.
As far as a future law restricting gold ownership, sure, that could happen, but that applies to just about any commodity and in just about any country.
Re: (Score:2)
In the U.S. there is no limit to the amount of gold you may legally own or possess.
Re: (Score:2)
As far as I know, there are no current quantity limits on gold ownership in the United States.
I didn't say there were.
I said:
Keep in mind that in the US, the amount of gold you own can be restricted, and the excess seized by the Government (with compensation, of course)
Clearer, now?
As far as a future law restricting gold ownership, sure, that could happen, but that applies to just about any commodity and in just about any country.
Sure, except the US has limited and seized gold. It has not done the same with lead.
Re: (Score:1)
Sure, except the US has limited and seized gold. It has not done the same with lead.
If lead were designated a scarce material [cornell.edu] or if it were to fall under the Defense Production Act [lacriminal...torney.com] the government might very well limit how much you can have.
Barring some undiscovered use for it, I don't see lead ever falling under these categories. But it's not out of the question for other non-precious-metal commodities. I wouldn't be surprised if helium and other strategic-but-very-limited-supply items weren't put on a "no hoarding" list in the next few decades.
Re: (Score:2)
If lead were designated a scarce material [cornell.edu] or if it were to fall under the Defense Production Act [lacriminal...torney.com] the government might very well limit how much you can have.
Indeed.
I'm not the one who said:
but that applies to just about any commodity and in just about any country.
Barring some undiscovered use for it, I don't see lead ever falling under these categories. But it's not out of the question for other non-precious-metal commodities. I wouldn't be surprised if helium and other strategic-but-very-limited-supply items weren't put on a "no hoarding" list in the next few decades.
Mmhmm.
Not just no hoarding- every US citizen was ordered to surrender it to their nearest Federal Reserve bank, with up to 10 year jail penalties for noncompliance.
You also missed a couple of the acts used to justify that action- but we're flying the same route here- the US can, and will, take your gold away in the case of an economic collapse. Using it as a wealth hoard is not the wise move some think it is.
Re: (Score:1)
I agree that it can, but not that it will. Why not? There's simply no reason to do so, and it's very unlikely there will be any reason to do so in the coming decades.
There are some key difference between 1933 and today:
* Through 1932, gold coins actually contained about a dollar's worth of gold, maybe a little less.
* From the end of WWI until 1933, the United States was on the gold standard. If it wanted to devalue the currency with respect to gold, it made sense to regulate the ownership of gold. Today
Re: (Score:2)
I agree that it can, but not that it will. Why not? There's simply no reason to do so, and it's very unlikely there will be any reason to do so in the coming decades.
Oh- I sincerely doubt it will too. Actually that doesn't even do my feelings on the matter justice. I'd suck my own dick if it happened.
There are some key difference between 1933 and today:
... snip ...
No disagreement with any of those.
About the only reason I can think of that the government would think it's worthwhile to regulate ownership of gold was if hoarding was causing actual shortages for industrial use. I don't see that happening any time soon with gold. I do see it possibly happening in the next 20 years with some other minerals, but not gold.
Industrial? no.
Hoarding just has to have a material impact on the economy.
i.e., one would expect it only in the case where the monetary system were collapsing and in its death throws were being thrown at gold as fast as possible (of course increasing the depth of the spiral)
Situations like this are precisely why some people
Re: (Score:2)
You should put that thought back in your ass where it came from.
Re: (Score:2)
Re: (Score:2)
You must talk to yourself a lot.
That EO went out of effect a long time ago. It no longer applies, and hasn't for quite some time.
Re: (Score:2)
Keep in mind that in the US, the amount of gold you own can be restricted, and the excess seized by the Government (with compensation, of course)
Would you like me to explain to you what "can be" means?
Re: (Score:2)
No, but you you can look in the mirror and call yourself a dipshit. That would be great, thanks.
Re: (Score:2)
Would it make you feel better if I called myself a dipshit? Would you forget that you're illiterate?
Anything for you, little buddy.
Re: (Score:2)
I probably can't reach that limit by panning alone, unless my panning operation just hasn't panned out yet.
Re: (Score:2)
But there has been in the past, and indeed, all US citizens have been ordered to surrender their gold to the Government, and it was enforced.
To be fair- I don't know if that applied to Panner Jim's vial (I have a quarter vial I panned over the course of ~10 years in my youth).
My reading of it says our panned gold is probably ok
Seems in character. (Score:4, Interesting)
Re: (Score:2)
At what point do old reviews not apply to updated extensions?
AI, crypto and theft in the same sentence (Score:2)
I'll take shoehorning AI for $2000 (Score:3)
so they make browser extensions, get good reviews then change the code to be malicious. That tactic as old as software itself.
Re: (Score:2)
Prediction: Crypto regulation (Score:2)
Between governments' desires for control and big-businesses' desires for accountability and the ability to recover from fraud, I see a gradual split in the crypto market into "more anonymous" tokens that attract the "keep the gummit outta my business" crowd (and, with it, the outright "we are doing illegal things and don't want to be caught" crowd) and the "less anonymous, more accountable" tokens where transactions can be rolled back and/or the person behind the wallet can be held accountable if it is used
About 6 hr of Riot Platform's Corsicana, TX DC (Score:2)
In other news, Texas will vote on this new concept called "zoning laws", but only if the mayor doesn't get a fat envelope with this month's $upport.
Speaking as someone from Texas, I wouldn't hold by breath because the poors have absolutely zero rights.
This isn't an AI story (Score:2)
Fair game (Score:2)
When some other criminals step in that are smaller idiots, well, thats where the money flows to.