$1M Stolen in 'Industrial-Scale Crypto Theft' Using AI-Generated Code
- Reference: 0178638034
- News link: https://yro.slashdot.org/story/25/08/11/0037258/1m-stolen-in-industrial-scale-crypto-theft-using-ai-generated-code
- Source link:
"150 weaponized Firefox extensions [impersonating popular cryptocurrency wallets like MetaMask and TronLink]. Nearly 500 malicious executables. Dozens of phishing websites. One coordinated attack infrastructure. According to user reports, over $1 million stolen."
> They upload 5-7 innocuous-looking extensions like link sanitizers, YouTube downloaders, and other common utilities with no actual functionality... They post dozens of fake positive reviews for these generic extensions to build credibility. After establishing trust, they "hollow out" the extensions — changing names, icons, and injecting malicious code while keeping the positive review history. This approach allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review process, then weaponizing established extensions that already have user trust and positive ratings. The weaponized extensions captures wallet credentials directly from user input fields within the extension's own popup interface, and exfiltrate them to a remote server controlled by the group...
>
> Alongside malware and extensions, the threat group has also launched a network of scam websites posing as crypto-related products and services. These aren't typical phishing pages mimicking login portals — instead, they appear as slick, fake product landing pages advertising digital wallets, hardware devices, or wallet repair services... While these sites vary in design, their purpose appears to be the same: to deceive users into entering personal information, wallet credentials, or payment details — possibly resulting in credential theft, credit card fraud, or both. Some of these domains are active and fully functional, while others may be staged for future activation or targeted scams...
>
> A striking aspect of the campaign is its infrastructure consolidation: Almost all domains — across extensions, EXE payloads, and phishing sites — resolve to a single IP address: 185.208.156.66 — this server acts as a central hub for command-and-control, credential collection, ransomware coordination, and scam websites, allowing the attackers to streamline operations across multiple channels... Our analysis of the campaign's code shows clear signs of AI-generated artifacts . This makes it faster and easier than ever for attackers to scale operations, diversify payloads, and evade detection.
>
> This isn't a passing trend — it's the new normal.
The researchers believe the group "is likely testing or preparing parallel operations in other marketplaces."
[1] https://blog.koi.security/greedy-bear-massive-crypto-wallet-attack-spans-across-multiple-vectors-3e8628831a05
Wow!! (Score:3, Informative)
$1M? Wow!!!
It turns out that AI is good for something after all. Who knew?
Re: (Score:1)
I hope the thieves paid $2m to get that $1m.
Seems in character. (Score:4, Interesting)
It seems to be customary for an 'AI' thing to have at least one abjectly amateurish detail that a less trendy operation wouldn't have stooped to; so I guess hanging all that on a single C2 IP and hoping for the best is in the correct spirit.
Re: (Score:2)
At what point do old reviews not apply to updated extensions?
AI, crypto and theft in the same sentence (Score:2)
Here is my shocked face ---->>> ~O-o~
I'll take shoehorning AI for $2000 (Score:2)
This has as much to do with AI as the perpetrators' favorite foods do.
so they make browser extensions, get good reviews then change the code to be malicious. That tactic as old as software itself.
Prediction: Crypto regulation (Score:1)
Between governments' desires for control and big-businesses' desires for accountability and the ability to recover from fraud, I see a gradual split in the crypto market into "more anonymous" tokens that attract the "keep the gummit outta my business" crowd (and, with it, the outright "we are doing illegal things and don't want to be caught" crowd) and the "less anonymous, more accountable" tokens where transactions can be rolled back and/or the person behind the wallet can be held accountable if it is used
This isn't a passing trend — it's the new no (Score:2)
Want to murder myself whenever I see this AI watermark sentence structure.
It's not just cringey -- it's a character I can't even type — — — — — —
Re: (Score:2)
I have them on my keyboard. I use them in documents and email.
mykeyboard.xkb:
key {
symbols[Group1]= [ minus, underscore, endash, emdash ],
My X11 initialization script does:
xkbcomp ~/mykeyboard.xkb :0.0
Re: (Score:2)
ctrl-shift-u 2014 enter
—
You mileage may vary, this works on ubuntu. Lets you enter any unicode char