North Korean APT hackers use 500 phishing domains to steal NFTs

Posted on December 27, 2022 at 2:13 PM

North Korean APT hackers use 500 phishing domains to steal NFTs

The Lazarus group, a threat actor group based in North Korea, has been running a massive phishing campaign targeting non-fungible tokens (NFTs). The threat actor group deployed around 500 phishing domains to target NFT investors.

North Korean hackers use phishing domains to steal NFTs

SlowMist, a blockchain security company, revealed the details surrounding the phishing campaigns run by Advanced Persistent Threat (APT) groups based in North Korea. The SlowMist report noted that these groups have been using malicious methods to steal NFTs.

One of the most popular methods used by the attackers was to use fake websites disguised as offering access to various NFT platforms and projects. The report noted that one of these fake websites was a site that faked a project associated with the recently completed FIFA World Cup. Other sites were impersonating popular NFT platforms such as OpenSea, Rarible, and X2Y2.

The SlowMist report noted that one of the methods used by the attacker after a user visited these fake websites was to promise them NFT mints. However, these mints were malicious and involved the victim being lied to think they were minting a real NFT. The website urged the victim to link their wallet to the website. Once a user does this, the NFT contained in their wallet will be stolen.

The NFTs offered through these mints were malicious, allowing the hacker to access the victim’s wallet. According to the report, most phishing websites use the same Internet Protocol (IP). 372 phishing websites operated using one IP, while 320 NFT phishing websites used another single IP.

The report also noted that the hackers had run this phishing campaign for several months, adding that the domain name registered at the earliest time was registered seven months ago. This showed that the hackers had been running the phishing campaign for a long time, and during this time, they could have affected many NFT investors that had accessed the malicious websites.

Besides using these fake websites to offer free NFT mints, the hackers also used other methods phishing methods. These methods included recording the data of a visitor and later saving this data to an external site. They also linked images to the target projects.

When the hacker obtained the visitor data to the website, they would conduct multiple attack scripts on the victim. This allowed the hacker to access the victims’ access records. They also used the data to obtain authorizations and use the plug-in wallets. They also gained access to the victim’s sensitive data and approved the victim’s records.

After the hacker gained access to all this information from the victim, it allowed them to access the victim’s wallet, from where they stole digital assets. Given the tactics used by the threat actors, it is likely that the campaign has already caused significant losses.

The SlowMist report also noted that this could be just the “tip of the iceberg,” as the analysis had only focused on a small part of the phishing campaign. Moreover, the report only focused on a few of the characteristics of hackers based in North Korea. Therefore, if the analysis had paid more attention to a wide range of features, it could have exposed more phishing campaigns targeting digital asset holders.

The extent of these breaches could also be great, given that one of the phishing addresses managed to obtain access to 1,055 NFTs, where they also made profits of 300 ETH. Therefore, the 500 domain sites could have stolen many NFTs together.

The report also noted that the North Korean hacking group was responsible for the Naver phishing campaign. This phishing campaign had been documented previously on March 15 by Prevailion.

North Korean hackers target crypto

North Korean hackers have been associated with multiple thefts in the cryptocurrency space this year. A report by the National Intelligence Service in North Korea noted that North Korean hackers had stolen $620 million worth of digital assets in 2022 alone.

Earlier this year, the North Korean Lazarus group was associated with a breach on the Sky Mavis Ronin bridge, where the attackers stole over $600M worth of crypto assets. The activity of North Korean hackers in the crypto space has also led to the Japan National Police Agency warning crypto firms in the country to beware of North Korean hackers.

North Korean APT hackers use 500 phishing domains to steal NFTs
Article Name
North Korean APT hackers use 500 phishing domains to steal NFTs
North Korean hackers have been stealing NFTs from investors. The hackers stole these NFTs using phishing domains. North Korean hackers have been linked to multiple exploits in the crypto sector.
Publisher Name
Publisher Logo

Share this:

Related Stories:


Get the latest stories straight
into your inbox!


Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading