Hackers in North Korea are using nearly 500 phishing domains to steal NFTs.

 

The hackers fabricated fake NFT markets, NFT projects, and a DeFi platform.

Nearly 500 phishing domains were reportedly used in a massive phishing campaign against NFT investors that was perpetrated by hackers with ties to North Korea's Lazarus Group.

On December 24th, blockchain security firm SlowMist published a report detailing the methods used by North Korean Advanced Persistent Threat (APT) groups to separate NFT investors from their NFTs, such as the use of decoy websites masquerading as legitimate NFT-related platforms and projects.

One such fake website falsely claimed to be a World Cup-related initiative; others pretended to be popular NFT marketplaces like OpenSea, X2Y2, and Rarible.

According to SlowMist, one tactic was to have these fake sites offer "malicious Mints," which trick victims into thinking they are minting a real NFT when they are actually being scammed.

The NFT, however, is fraudulent, leaving the victim's wallet open to the hacker who stole it.

The report also found that many phishing websites shared the same Internet Protocol (IP), with 372 NFT phishing websites sharing a single IP and another 320 NFT phishing websites linked to a different IP.

According to SlowMist, the phishing campaign has been going on for a while, at least seven months since the first domain name was registered.

Images were linked to target projects, and visitors' data was recorded and saved on external sites.

Once the visitor's data was in the hacker's possession, the hacker would run a series of attack scripts on the victim, gaining access to the victim's most private information, including their approve record and sigData, as well as their access records, authorizations, and plug-in wallet usage.

With this data in hand, a hacker can break into the victim's digital wallet and steal all their money and other valuables.

Despite this, SlowMist stressed that this is only the "tip of the iceberg," as the analysis only examined a subset of the materials and extracted "some" of the phishing characteristics of the North Korean hackers.

For instance, SlowMist brought attention to the fact that a single phishing address managed to steal 1,055 NFTs and 300 Ether (at the time, worth $367,000) by using phishing techniques.

It went on to say that the same North Korean APT group was also responsible for the Naver phishing campaign that Prevailion had reported on March 15.

In 2022, North Korea has been at the center of numerous incidents involving the fraudulent theft of digital currencies.

The National Intelligence Service (NIS) of South Korea reported on December 22 that North Korea had stolen $620 million worth of cryptocurrencies this year.

Japan's National Police Agency issued a notice to the country's crypto-asset businesses in October, warning them to be wary of a North Korean hacking group.