The scammers’ corporation: how a global network of malicious applications is built

Scammers use every opportunity to maximize their profits. They form teams, delegate authority, and create entire networks of malicious projects. GetBlock AML Research reveals the structure of one of the largest fraudulent networks, which used malware, browser extensions, and fake websites to steal cryptocurrencies.

The bear’s lair

The recently discovered group of scammers has been named GreedyBear by cyber experts. It attracted increased attention by stealing digital assets on an industrial scale.

In a short period, the GreedyBear group created more than 500 malicious .exe files (viruses), over 150 fake browser extensions, and dozens of phishing sites that purported to provide cryptocurrency-related services. According to preliminary estimates, the scammers have already managed to steal assets worth approximately $1 million.

Fake crypto wallets

GreedyBear created more than 150 malicious extensions for the Firefox browser that mimicked popular crypto wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet. The scammers devised a strategy that helped them successfully bypass the extension audit.

Malicious crypto wallet page

The attackers created new developer accounts in the Firefox app market. They then published 5-6 completely legitimate apps, such as extensions for downloading videos from YouTube or an extension for shortening links. After that, these extensions received hundreds of positive reviews from users. Only then did the scammers publish the fake crypto wallets.

Fake programs

GreedyBear was also involved in distributing Trojans disguised as software. The group created more than 500 malicious executable files that were embedded in hacked programs distributed via torrent trackers.

Malicious distribution on one of the torrent trackers

Fake services

GreedyBear operates in another area — stealing cryptocurrency through fake cryptocurrency services. The group creates websites that imitate various cryptocurrency-related services. For example, one such fraudulent website promoted a service for repairing broken Trezor crypto wallets.

Fraudulent website for repairing Trezor wallets

In addition to stealing cryptocurrency, malicious websites were also used to collect personal and payment data about potential victims.

What they have in common

All of the above-mentioned projects were organized using the same infrastructure. A single server, 185.208.156.66, was used to control Trojans, malicious Firefox extensions, and fake websites.

Graph of the server’s connections to all detected malicious elements

One server controlled all the malicious software and also collected data about victims and potential victims.