AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Slashdot  <--  <--- Return to Home Page
   Local Database  Slashdot   [55 / 116] RSS
 From   To   Subject   Date/Time 
Message   VRSS    All   $1M Stolen in 'Industrial-Scale Crypto Theft' Using AI-Generated   August 10, 2025
 8:00 PM   

Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: $1M Stolen in 'Industrial-Scale Crypto Theft' Using AI-Generated Code

Link: https://yro.slashdot.org/story/25/08/11/00372...

"What happens when cybercriminals stop thinking small and start thinking like
a Fortune 500 company?" asks a blog post from Koi Security. "You get
GreedyBear, the attack group that just redefined industrial-scale crypto
theft." "150 weaponized Firefox extensions [impersonating popular
cryptocurrency wallets like MetaMask and TronLink]. Nearly 500 malicious
executables. Dozens of phishing websites. One coordinated attack
infrastructure. According to user reports, over $1 million stolen." They
upload 5-7 innocuous-looking extensions like link sanitizers, YouTube
downloaders, and other common utilities with no actual functionality... They
post dozens of fake positive reviews for these generic extensions to build
credibility. After establishing trust, they "hollow out" the extensions -
changing names, icons, and injecting malicious code while keeping the
positive review history. This approach allows GreedyBear to bypass
marketplace security by appearing legitimate during the initial review
process, then weaponizing established extensions that already have user trust
and positive ratings. The weaponized extensions captures wallet credentials
directly from user input fields within the extension's own popup interface,
and exfiltrate them to a remote server controlled by the group... Alongside
malware and extensions, the threat group has also launched a network of scam
websites posing as crypto-related products and services. These aren't typical
phishing pages mimicking login portals - instead, they appear as slick, fake
product landing pages advertising digital wallets, hardware devices, or
wallet repair services... While these sites vary in design, their purpose
appears to be the same: to deceive users into entering personal information,
wallet credentials, or payment details - possibly resulting in credential
theft, credit card fraud, or both. Some of these domains are active and fully
functional, while others may be staged for future activation or targeted
scams... A striking aspect of the campaign is its infrastructure
consolidation: Almost all domains - across extensions, EXE payloads, and
phishing sites - resolve to a single IP address: 185.208.156.66 - this server
acts as a central hub for command-and-control, credential collection,
ransomware coordination, and scam websites, allowing the attackers to
streamline operations across multiple channels... Our analysis of the
campaign's code shows clear signs of AI-generated artifacts. This makes it
faster and easier than ever for attackers to scale operations, diversify
payloads, and evade detection. This isn't a passing trend - it's the new
normal. The researchers believe the group "is likely testing or preparing
parallel operations in other marketplaces."

Read more of this story at Slashdot.

---
VRSS v2.1.180528
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Slashdot  <--  <--- Return to Home Page
VADV-PHP
Execution Time: 0.017 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2025 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
 v2.1.250224