Crypto scams and regulator warnings expose new attack vectors

Last week, the financial services and fintech sectors were put on high alert by a series of sophisticated scams targeting the booming cryptocurrency space, while US regulators issued urgent warnings about critical vulnerabilities in core enterprise software. The period of August 4th to 10th was characterized by threat actors exploiting user trust in emerging platforms and leveraging weaknesses in widely used infrastructure to gain access to sensitive systems.

From malicious browser extensions draining crypto wallets to official alerts about enterprise software flaws, the week’s events paint a clear picture of an adaptive and opportunistic threat landscape. For CISOs and technology leaders, the focus must be on defending against both external attacks on infrastructure and internal threats that prey on the psychological vulnerabilities of employees and customers.

Here is the debrief of the key events you need to know.

1. “GreedyBear” Campaign Steals $1M+ via Malicious Firefox Extensions

The most brazen attack of the week involved a widespread campaign dubbed “GreedyBear,” which leveraged over 150 malicious browser extensions on the Firefox marketplace to steal more than $1 million in digital assets. First reported on August 8th, the campaign highlights a significant threat vector for the growing number of fintech users engaging with cryptocurrency.

The attackers used a clever technique called “Extension Hollowing” to bypass Mozilla’s security reviews. They would first publish an innocuous, empty extension to get it approved and listed on the marketplace. Then, after building a veneer of credibility with fake positive reviews, they would remotely update the extension to include malicious code. These extensions were designed to impersonate popular cryptocurrency wallets like MetaMask and Coinbase Wallet. When an unsuspecting user installed one of these fake extensions and tried to log into their real wallet, the malicious code would capture their credentials and seed phrases, exfiltrating them to an attacker-controlled server. This allowed the criminals to drain the victims’ accounts. The scale of this operation, which is believed to be an evolution of the earlier “Foxy Wallet” campaign, demonstrates a highly organized and profitable criminal enterprise focused squarely on the crypto space.

Bob’s Analytical Point: “The GreedyBear campaign is a masterclass in exploiting trust. It doesn’t target a technical flaw in a bank’s server but a psychological flaw in the user. People have been trained to trust official marketplaces like the Firefox Add-on Store, and attackers are now poisoning that well. For fintechs in the crypto space, this is a major user education challenge. You can secure your platform perfectly, but if your user gives their credentials away to a malicious browser extension, it’s game over. This reinforces the need for hardware wallets and pushes the industry to develop more secure standards for connecting decentralized applications to user wallets, reducing reliance on browser extensions as the primary intermediary.”

2. FINRA Issues Cybersecurity Alert for Microsoft SharePoint Vulnerability

On August 5th, the US Financial Industry Regulatory Authority (FINRA) issued a direct and urgent cybersecurity alert to its member firms regarding a critical vulnerability in Microsoft SharePoint. This was not a minor bug; the flaw could allow an attacker to execute code remotely on a server, potentially giving them deep access into a firm’s internal network.

Given SharePoint’s ubiquitous use across the financial services industry for document management, internal collaboration, and data storage, the alert triggered immediate action. FINRA’s guidance was clear: firms needed to review the Microsoft advisory with their IT and security teams and apply the necessary patches without delay. This event highlights the systemic risk posed by vulnerabilities in widely adopted enterprise software. A single flaw in a product used by thousands of financial institutions creates a massive, uniform attack surface for threat actors.

Bob’s Take: “A FINRA alert is the regulatory equivalent of a flashing red light, and this one was particularly serious. The core problem here is software monoculture. When nearly every firm uses the same platform for critical functions, a single vulnerability becomes a sector-wide threat. Proactive patch management is the obvious first step, but mature organizations need to think beyond that. This is where network segmentation proves its worth. A compromised SharePoint server should never provide a direct pathway to trading systems or client account databases. By isolating critical systems and implementing a Zero Trust model—where every request is verified, regardless of its origin—firms can contain the blast radius of a breach and ensure that one compromised server doesn’t lead to a catastrophic failure.”

3. UK’s ICO Fines Charity for Unlawful Data Destruction

In a highly unusual but important case, the UK’s Information Commissioner’s Office (ICO) announced on August 6th that it had fined the Scottish charity Birthlink £18,000 for the unlawful destruction of personal data. While most data protection fines relate to data loss or breaches, this case centered on the organization’s failure to safeguard irreplaceable records.

The charity, which helps connect people separated by adoption, destroyed approximately 4,800 physical records, including handwritten letters and photographs, due to a lack of proper data governance and staff training. The ICO found that Birthlink had no data protection policies, no lawful basis for the destruction, and no understanding of its obligations under GDPR to protect such sensitive information. While the entity was a charity and not a fintech, the ruling has significant implications for all regulated firms. It reinforces that “data protection” is not just about preventing unauthorized access but also about ensuring data integrity and availability.

Bob’s Problem-Solving Insight: “This ICO fine is fascinating because it flips the usual data breach narrative on its head. It’s not about data being stolen, but about it being irretrievably lost due to negligence. For fintechs, this is a critical lesson in data lifecycle management. You need robust policies not just for how you collect and protect data, but also for how you archive and, when appropriate, delete it. A compliance officer might see a requirement to ‘delete data that is no longer needed,’ but what if that data has historical or legal significance? This case proves that you need clear, well-documented retention and destruction policies, approved by both legal and compliance teams, to avoid falling foul of the regulator in unexpected ways.”

4. New “Efimer” Trojan Targets Crypto Wallets via Malspam

Adding to the week’s cryptocurrency woes, researchers at Kaspersky detailed a new malspam campaign on August 8th distributing a trojan named “Efimer.” This malware specifically targets the crypto assets of users in Brazil, Europe, and North America.

The campaign uses a classic social engineering lure: emails impersonating lawyers from a major company, complete with password-protected ZIP archives to appear legitimate. Once a victim opens the malicious script file, Efimer infects the machine. Its primary function is to act as a “clipper,” a type of malware that monitors the user’s clipboard. When the user copies a legitimate cryptocurrency wallet address to make a transaction, the malware automatically and silently replaces it with a wallet address controlled by the attacker. The user, often not double-checking the long string of characters, then unknowingly sends their funds to the thief. This simple yet highly effective technique preys on user inattention and is a reminder of the fundamental risks involved in crypto transactions.