Reports indicate that the North Korean hackers developed decoy websites impersonating NFT marketplaces, NFT projects, and a DeFi platform.
These hackers linked to North Korea’s Lazarus Group are allegedly behind a huge phishing campaign targeting the non-fungible token (NFT) investors – using almost 500 phishing domains to dupe victims.
Blockchain security company SlowMist published a report on December 24, revealing the tactics and strategies that North Korean Advanced Persistent Threat (APT) groups have utilized to part NFT investors from their nonfungible tokens, including decoy websites camouflaged as a variety of NFT-related platforms and projects.
Examples of fake websites include a site that pretends to be a project linked with the World Cup and sites that impersonate renowned NFT marketplaces like X2Y2, OpenSea, and Rarible.
SlowMist stated that one of the strategies used was having the decoy websites offer “malicious Mints,” which comprises deceiving the victims into believing they are minting a legitimate NFT by linking their wallet to the website.
Nevertheless, the NFT is fraudulent, and the victim’s wallet is left vulnerable to North Korean hackers who know how to access it.
The report also indicated that most of the phishing websites are operated under the same Internet Protocol (IP), with 372 NFT phishing sites under one IP, and another 320 nonfungible token phishing websites linked to another IP.
SlowMist stated that the phishing campaign has been continuing for several months, stating that the earliest registered domain name came up seven months ago. Other phishing methods used included recording visitor data and saving it to external sites and as linking images to target projects.
After the hacker was almost obtaining the visitor’s data, they would then proceed to run a variety of attack scripts on the victim, which would enable the North Korean hackers to gain access to the victim’s authorizations, access records, use of plug-in wallets, and sensitive data including the victim’s approve record and sigData.
All that information then enables the criminal to access the victim’s wallet, exposing all their digital assets.
Nonetheless, SlowMist insisted that this is only the “tip of the iceberg,” as the analysis just looked at a small segment of the materials and extracted ‘some’ of the phishing characteristics of the North Korean hackers.
🚨SlowMist Security Alert🚨
North Korean APT group targeting NFT users with large-scale phishing campaign
This is just the tip of the iceberg. Our thread only covers a fraction of what we've discovered.
Let's dive in pic.twitter.com/DeHq1TTrrN
— SlowMist (@SlowMist_Team) December 24, 2022
For instance, SlowMist highlighted that only one phishing address managed to gain 1,055 NFTs and profit 300 ETH, worth $367,000, via its phishing tactics.
It added that the same North Korean APT group was also responsible for the Naver phishing campaign that was previously documented by Prevailion on March 15.
North Korea has been at the core of different crypto theft crimes in 2022.
Based on a news report published by South Korea’s National Intelligence Service (NIS) on December 2022, North Korea stole $620 million worth of cryptos this year alone.
In October, Japan’s National Police Agency sent out a stern warning to the nation’s crypto asset businesses advising them to be highly cautious of the North Korean hackers.