Decoy websites impersonating NFT marketplaces, NFT projects, and even a DeFi platform were created by the hackers.
Hackers associated with North Korea’s Lazarus Group are allegedly behind a massive phishing campaign aimed at non-fungible token (NFT) investors, employing nearly 500 phishing domains to dupe victims.
SlowMist, a blockchain security firm, published a report on December 24 that revealed the tactics used by North Korean Advanced Persistent Threat (APT) groups to separate NFT investors from their NFTs, including decoy websites disguised as a variety of NFT-related platforms and projects.
A fake website impersonating a World Cup project, as well as sites impersonating well-known NFT marketplaces such as OpenSea, X2Y2 and Rarible, are examples of these fake websites.
According to SlowMist, one of the tactics used was for these decoy websites to offer “malicious Mints,” which involve tricking victims into thinking they are minting a legitimate NFT by connecting their wallet to the website.
The NFT, however, is fraudulent, and the victim’s wallet is now vulnerable to the hacker who now has access to it.
The report also revealed that many of the phishing websites used the same Internet Protocol (IP), with 372 NFT phishing websites using the same IP and another 320 using a different IP.
SlowMist stated that the phishing campaign has been ongoing for several months, with the first registered domain name coming about seven months ago.
Other phishing techniques used included capturing visitor data and saving it to external sites, as well as linking images to specific projects.
After obtaining the visitor’s data, the hacker would proceed to run various attack scripts on the victim, granting the hacker access to the victim’s access records, authorizations, use of plug-in wallets, and sensitive data such as the victim’s approve record and sigData.
All of this information allows the hacker to gain access to the victim’s wallet, exposing all of their digital assets.
SlowMist, however, stressed that this is just the “tip of the iceberg,” as the analysis only looked at a small portion of the materials and extracted “some” of the North Korean hackers’ phishing characteristics.
SlowMist, for example, stated that one phishing address alone was able to gain 1,055 NFTs and profit $300 ETH, totaling $367,000, through its phishing tactics.
It went on to say that the same North Korean APT group was also behind the Naver phishing campaign, which Prevailion had previously documented on March 15.
In 2022, North Korea has been at the centre of numerous cryptocurrency theft crimes.
According to a news report published on December 22 by South Korea’s National Intelligence Service (NIS), North Korea stole $620 million in cryptocurrency this year alone.
Japan’s National Police Agency issued a warning to the country’s crypto-asset businesses in October, advising them to be wary of the North Korean hacking group.