Latest news with #cryptotheft
Yahoo
13 hours ago
- Business
- Yahoo
A Russian Hacking Group Is Using Fake Versions of MetaMask to Steal $1M in Crypto
The Russian hacking group GreedyBear has scaled up its operations in recent months, using 150 'weaponized Firefox extensions' to target international and English-speaking victims, according to research from Koi Security. Publishing the results of its research in a blog, U.S. and Israel-based Koi reported that the group has 'redefined industrial-scale crypto theft,' using 150 weaponized Firefox extensions, close to 500 malicious executables and 'dozens' of phishing websites to steal over $1 million within the past five weeks. Speaking to Decrypt, Koi CTO Idan Dardikman said that the Firefox campaign is 'by far' its most lucrative attack vector, having 'gained them most of the $1 million reported by itself.' This particular ploy involves creating fake versions of widely downloaded crypto wallets such as MetaMask, Exodus, Rabby Wallet, and TronLink. GreedyBear operatives use Extension Hollowing to bypass marketplace security measures, initially uploading non-malicious versions of the extensions, before updating the apps with malicious code. They also post fake reviews of the extensions, giving the false impression of trust and reliability. But once downloaded, the malicious extensions steal wallet credentials, which in turn are used to steal crypto Not only has GreedyBear been able to steal $1 million in just over a month using this method, but they have greatly ramped up the scale of their operations, with a previous campaign–active between April and July of this year–involving only 40 extensions. The group's other primary attack method involves almost 500 malicious Windows executables, which it has added to Russian websites that distribute pirated or repacked software. Such executables include credential stealers, ransomware software and trojans, which Koi Security suggests indicates'a broad malware distribution pipeline, capable of shifting tactics as needed.' Coinbase Rolls Out DEX Trading on Its App Starting With Base—And Solana 'Coming Soon' The group has also created dozens of phishing websites, which pretend to offer legitimate crypto-related services, such as digital wallets, hardware devices or wallet repair services. GreedyBear uses these websites to coax potential victims into entering personal data and wallet credentials, which it then uses to steal funds. 'It is worth mentioning that the Firefox campaign targeted more global/English-speaking victims, while the malicious executables targeted more Russian-speaking victims,' explains Idan Dardikman, speaking to Decrypt. Despite the variety of attack methods and of targets, Koi also reports that 'almost all' GreedyBear attack domains link back to a single IP address: 185.208.156.66. According to the report, this address functions as a central hub for coordination and collection, enabling GreedyBear hackers 'to streamline operations.' Ethereum Foundation Pledges to Match $500K for Roman Storm's Legal Defense Dardikman saidthat a single IP address 'means tight centralized control' rather than a distributed network. 'This suggests organized cybercrime rather than state sponsorship–government operations typically use distributed infrastructure to avoid single points of failure,' he added. 'Likely Russian criminal groups operating for profit, not state direction.' Dardikman said that GreedyBear is likely to continue its operations and offered several tips for avoiding their expanding reach. 'Only install extensions from verified developers with long histories,' he said, adding that users should always avoid pirated software sites. He also recommended using only official wallet software, and not browser extensions, although he advised moving away from software wallets if you're a serious long-term investor. He said, 'Use hardware wallets for significant crypto holdings, but only buy from official manufacturer websites–GreedyBear creates fake hardware wallet sites to steal payment info and credentials.' Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
03-08-2025
- Business
- Yahoo
Arkham links $3.5bn Bitcoin theft to quiet exit of Chinese mining giant Lubian
A previously undisclosed theft of 127,000 Bitcoin, worth $3.5 billion at the time, has been traced back to the sudden 2020 disappearance of Chinese mining pool Lubian, according to new data from blockchain analytics firm Arkham. The hack, which Arkham says occurred on December 28, 2020, is now believed to be the largest crypto theft in history, far surpassing the $1.5 billion Bybit exploit that occurred in February. Despite draining nearly all of Lubian's holdings, the incident went entirely unreported for over four years, and neither the mining pool nor the hacker has ever acknowledged the breach. Lubian was a top-10 mining pool at its peak, responsible for nearly 6% of global Bitcoin hash rate in mid-2020. But the pool mysteriously stopped mining in early 2021. At the time, observers chalked it up to regulatory pressure in China and Iran, where Lubian's machines were reportedly located. Arkham now suggests the shutdown was the direct result of a catastrophic breach, likely enabled by weak private key generation vulnerable to brute-force attacks. As a last-ditch attempt, Lubian sent over 1,500 small Bitcoin transactions that included messages asking for the stolen funds to be returned. The pool also rotated what remained of its Bitcoin — roughly 11,880 coins — into recovery wallets. The hacker has yet to move the stolen coins beyond a 2024 consolidation. Record-breaking thefts The revelation comes amid a historic surge in crypto-related thefts. In the first half of 2025 alone, hackers stole more than $3.1 billion across web3 platforms, with $1.83 billion tied to so-called access control attacks, according to Hacken's H1 security report. These exploits often involve compromised infrastructure or admin credentials, and increasingly bypass traditional safeguards like multi-signature wallets. With the stolen Bitcoin now worth over $14.5 billion, the attacker ranks among the largest Bitcoin holders in the world, ahead of the Mt. Gox hacker and several nation-state treasuries. Kyle Baird is DL News' Weekend Editor. Got a tip? Email at kbaird@
CBS News
30-05-2025
- Business
- CBS News
Crypto kidnappings on the rise as criminals resort to "wrench attacks"
The recent case of an Italian tourist who was kidnapped in New York City and tortured by people allegedly after his cryptocurrency is drawing attention to a rash of crimes dubbed "wrench attacks," which combine cybertheft with old-fashioned thuggery. The term stems from an XKCD comic that depicts a "crypto nerd's imagination" of the tech know-how that would be required to break into their digital wallet. In reality, the comic notes, all it would take is a heavy $5 wrench to threaten the crypto owner until they revealed their account password. Such attacks have picked up in recent months, partly because stealing a digital wallet can be easier than stealing money from a traditional bank account, said Ari Redbord, global head of policy and government affairs at TRM Labs, a crypto tracing firm. On top of that, the value of bitcoin has surged in recent months, making people with crypto holdings potentially lucrative targets for criminals. "Criminals go to where the money is, and we're seeing a huge rise in the price of bitcoin," Redbord said. "Before, you needed sophisticated cyber capabilities to hack someone, but now you can be a violent criminal who can beat [the password] out of someone." He added, "I don't think I've ever been as taken aback by this type of illicit activity in crypto." The crypto world also has a culture of flaunting wealth via social media posts or appearances at crypto conference, which allows criminals to easily identify potential targets. Bitcoin traded Friday at nearly $105,000 per token, according to CoinDesk — about 53% higher than a year ago. The digital currency has soared partly as people seek alternatives to put their money than traditional investments like stocks and bonds, and as the Trump administration takes steps to promote the use of cryptocurrencies, including establishing a "strategic crypto reserve." How to crack a wallet Cryptocurrency thefts aren't new, but they've typically involved hacking, such as a massive 2022 hack at crypto exchange Binance in which thieves initially stole $570 million, as well as multiple hacks by entities the United Nations found were linked to North Korea. In response to such threats, crypto owners often try and keep their private keys off the internet and stored in what are called "cold wallets." When used properly, such wallets can defeat even the most sophisticated and determined hackers. But criminals have realized they don't need any technical skills to steal crypto assets, Redbord said. All it takes is gaining access to a person's crypto account password, because there's no third-party financial institution standing in the way of accessing funds held in a digital wallet, he explained. Transactions on the blockchain, the technology that powers cryptocurrencies, are permanent. And unlike cash, jewelry, gold or other items of value, thieves don't need to carry around stolen crypto. With a few clicks, huge amounts of wealth can be transferred from one address to another. NYC crypto kidnapping The case in New York City is somewhat unusual because it involves crypto investors allegedly trying to steal the assets of another investor, Redbord said. In that case, investors John Woeltz, 37, and William Duplessie, 33, face charges of kidnapping, assault and unlawful imprisonment of the Italian tourist in an effort to steal his digital wallet containing bitcoin worth millions of dollars. Court papers allege that the pair held the unidentified 28-year-old victim for weeks in an apartment in New York City's fashionable Soho neighborhood. After the victim was abducted, he was shocked with electric wires, his leg was cut with a saw and he was forced to smoke crack cocaine, prosecutors allege. Items including a photo of a gun held to the Italian tourist's head were found in the apartment by investigators. Two New York City police detectives had been working security for the accused kidnappers, CBS News New York has reported. The detective have been placed on desk duty as police investigate. William Duplessie, who along with John Woeltz is accused of kidnapping an Italian tourist to steal his cryptocurrency holdings, is escorted out of the New York Police 13th Precinct after turning himself in on charges of kidnapping and false imprisonment, Tuesday, May 27, 2025, in New York. Yuki Iwamura / AP Such incidents have also occurred with increasing frequency in Europe and Asia. Several cases in France have mirrored the New York City attack, with French police arresting 20 people following several alleged kidnapping plots involving crypto investors and their families, the BBC reported earlier this week. In one case, a gang allegedly tried to kidnap the daughter and young grandson of a cryptocurrency company executive in Paris, while earlier this month the father of a crypto millionaire was rescued by police in Paris after he was kidnapped and held for ransom. Aside from keeping a lower profile, crypto investors can take other steps to make it tougher for criminals, Redbord said. One option is to require permissions from several people to access a wallet, for instance. In the meantime, criminals are taking note and may be pursuing similar crimes, he added. "They are seeing successes and trying to replicate these successes," Redbord said. contributed to this report.
