North Korean hackers steal NFTs using nearly 500 phishing domains

Hackers linked to North Korea’s Lazarus group are reportedly behind a massive phishing campaign targeting nonfungible token (NFT) investors – using nearly 500 phishing domains to trick victims.

Blockchain security firm SlowMist released a report on December 24, revealing the tactics North Korean Advanced Persistent Threat (APT) groups have used to separate NFT investors from their NFTs, including decoy websites disguised as a variety of NFT-related platforms and projects .

Examples of these fake websites include a website pretending to be a project related to the World Cup, as well as websites pretending to be well-known NFT marketplaces such as OpenSea, X2Y2 and Rarible.

SlowMist said one of the tactics used was to have these decoy websites offer “malicious coins”, which involves tricking victims into thinking they are making a legitimate NFT by linking their wallet to the website.

However, the NFT is actually fraudulent and the victim’s wallet is vulnerable to the hacker who now has access to it.

The report also revealed that many of the phishing sites operated under the same Internet Protocol (IP), with 372 NFT phishing sites under a single IP and another 320 NFT phishing sites linked to a different IP.

An example of a phishing site Source: SlowMist

SlowMist said the phishing campaign has been going on for months, noting that the earliest registered domain name came about seven months ago.

Other phishing tactics used included recording visitor data and storing it on external websites as well as linking images to target projects.

After the hacker was in the process of obtaining the visitor’s data, they would then proceed to run various attack scripts on the victim, which would give the hacker access to the victim’s access records, authorizations and use of plug-in wallets, as well as sensitive data such as the victim’s authorization log and sigData.

All of this information then gives the hacker access to the victim’s wallet, exposing all of their digital assets.

However, SlowMist stressed that this is only the “tip of the iceberg”, as the analysis only looked at a small part of the materials and extracted “some” of the phishing characteristics of the North Korean hackers.

For example, SlowMist highlighted that just one phishing address alone was able to obtain 1,055 NFTs and earn 300 Ether (ETH), worth $367,000, through its phishing tactics.

It added that the same North Korean APT group was also responsible for the Naver phishing campaign previously documented by Prevailion on March 15.

Related: Blockchain security firm warns of new MetaMask phishing campaign

North Korea has been at the center of various cryptocurrency theft crimes in 2022.

According to a news report published by South Korea’s National Intelligence Service (NIS) on December 22, North Korea stole cryptocurrencies worth $620 million this year alone.

In October, Japan’s National Police Agency issued a warning to the country’s cryptoasset businesses advising them to be wary of the North Korean hacker group.