Hackers Used Phishing Websites To Steal NFT In North Korea
The hackers made fake websites that looked like NFT projects, NFT marketplaces, and even a DeFi platform.
Hackers with ties to North Korea’s Lazarus Group are said to be behind a vast phishing campaign that fools investors in non-fungible tokens (NFTs) by using nearly 500 phishing domains to trick people.
SlowMist, a blockchain security company, released a report on December 24 that showed the methods that North Korean Advanced Persistent Threat (APT) groups have used to trick NFT investors out of their NFTs. These methods include creating fake websites that look like different platforms and projects related to NFTs.
Some fake websites include one that pretends to be a World Cup project and others that try to look like popular NFT marketplaces like OpenSea, X2Y2, and Rarible.
SlowMist said that one of the methods was for these fake websites to offer “malicious mints,” which trick the victims into thinking that they are minting a real NFT when they connect their wallet to the website.
But the NFT is a fake, and the hacker now has access to the victim’s wallet, which leaves the wallet open to theft.
The report also showed that many phishing websites used the same Internet Protocol (IP). For example, 372 NFT phishing websites used the same IP, and 320 NFT phishing websites used a different IP.
Source: SlowMist
SlowMist said that the phishing campaign has been going on for a while, pointing out that the first domain name was registered about seven months ago.
Other ways that phishing was done were by recording visitor information and saving it on external sites and by linking images to projects that were being hacked.
After the hacker was about to get the visitor’s information, they would run different attack scripts on the victim. This gave the hacker access to the victim’s access records, authorizations, use of plug-in wallets, and sensitive data like the victim’s approved record and sigData.
After getting all this information, the hacker can get into the victim’s wallet and see their digital assets.
But SlowMist stressed that this is just the “tip of the iceberg” because the analysis only looked at a small part of the materials and only got “some” of the North Korean hackers’ phishing traits.
🚨SlowMist Security Alert🚨
North Korean APT group targeting NFT users with large-scale phishing campaign
This is just the tip of the iceberg. Our thread only covers a fraction of what we've discovered.
For example, SlowMist pointed out that just one of its phishing addresses could get 1,055 NFTs and 300 ETH worth $367,000.
It also said that the same North Korean APT group was behind the Naver phishing campaign that Prevailion wrote about on March 15.
In 2022, North Korea has been at the centre of several thefts of cryptocurrency.
South Korea’s National Intelligence Service (NIS) said in a report on December 22 that North Korea stole $620 million worth of cryptocurrencies this year alone.
In October, Japan’s National Police Agency warned the country’s crypto-asset businesses about the North Korean hacking group and told them to be careful.
