Copy link
Increase text size
Decrease text size
Link copied

NFT users targeted by North Korean hackers in large-scale phishing operation

The phishing campaign has been going on for a while; the earliest registered domain name was roughly seven months ago.

Image by: Wikimedia Commons

Mon, 26 Dec 2022, 09:31 am UTC

Non-fungible token (NFT) owners are now being targeted by the hacker group Lazarus. The North Korean group is reportedly involved in a massive phishing campaign that involved nearly 500 phishing domains set up to dupe victims.

On December 24, the blockchain security company SlowMist published a report that outlined the tactics used by North Korean Advanced Persistent Threat (APT) groups to dupe NFT investors. One of the methods involved the use of bogus websites impersonating various NFT-related platforms and projects, according to Cointelegraph.

These fraudulent websites include one that presents itself as a project associated with the World Cup. There are also sites that mimic popular NFT marketplaces like OpenSea, X2Y2, and Rarible.

One of the strategies, according to SlowMist, is to have these fake websites offer "malicious Mints," which trick the users into believing they are minting real NFTs by linking their wallets to the website. The NFT is essentially a scam, and as a result, the victim's wallet is open to attack by the hacker who now has access to it.

The analysis also showed that a large number of phishing websites shared the same Internet Protocol (IP), with 372 NFT phishing websites sharing a single IP and another 320 NFT phishing websites using a different IP.

The phishing campaign, according to SlowMist, has been going on for a while; the earliest registered domain name was roughly seven months ago. Along with linking photographs to target projects, other phishing techniques utilized included gathering visitor information and saving it to external websites.

The hacker would then employ different attack scripts on the victim after obtaining the visitor's data, giving them access to the victim's access records, authorizations, use of plug-in wallets, and sensitive data such as the victim's approve record and sigData.

The hacker can then access the victim's wallet using all this information, exposing all of their digital assets. SlowMist stressed that this is simply the "tip of the iceberg," as the research only considered a small percentage of the materials and only "some" of the North Korean hackers' phishing characteristics.

For instance, SlowMist pointed out that one phishing address alone was able to steal 300 ETH ($367,000) and 1,055 NFTs using its phishing techniques. The firm also stated that the Naver phishing effort, which was originally reported by Prevailion on March 15, was carried out by the same North Korean APT group.

TokenPost | [email protected]

<Copyright © TokenPost. All Rights Reserved. >

Back to top
Copyright ⓒ TokenPost. All Rights Reserved.