N Korean Hackers pull off NFT Phishing Scam worth 300 ETH

The North Korean hackers created fake phishing websites impersonating other NFT platforms like Rarible, X2Y2, and OpenSea to mislead NFT users.

Written By:
Vismaya V

Last updated: December 27, 2022 7:57 AM

Published December 27, 2022 7:57 AM

Last updated: December 27, 2022 7:57 AM

Published December 27, 2022 7:57 AM

North Korean Advanced Persistent Threat (APT) hacker groups are behind massive NFT phishing scams. One of the hacker addresses even acquired 1,055 NFTs, selling them for a profit of almost 300 ETH, around $366k.

According to a Blockchain security firm SlowMist report, one of the methods employed in this phishing attempt was conducting malicious mints using NFT-related decoy websites.

🚨SlowMist Security Alert🚨

North Korean APT group targeting NFT users with large-scale phishing campaign

This is just the tip of the iceberg. Our thread only covers a fraction of what we've discovered.

Let's dive in pic.twitter.com/DeHq1TTrrN
— SlowMist (@SlowMist_Team) December 24, 2022

The hackers created fake websites impersonating other NFT platforms like Rarible, X2Y2, and OpenSea to mislead users. The most recent phishing site that the hackers have set up and run pose are World Cup-related projects.

The North Korean APT used roughly 500 domain names to target users in its phishing attempt. The earliest registration date for these domain names was 7 months ago.

“thedoodles.site,” which was primarily utilized to record user data in the early stages of APT activities, is the primary domain name used by APT to monitor user requests.

Seven months ago, the HTTPS certificate for this domain name was registered, showing that the hacker group had already started concentrating on NFT users at that time.

In some host addresses, SlowMist discovered txt files with statistical data on victims and numerous attack scripts used by North Korean hackers. These files contained information about the victim’s authorizations, plug-in wallet usage, and access history.

Also Read: Lazarus Hackers target Developers via Fake Crypto.com Job Offers

According to SlowMist, there are groups of NFT phishing sites that share the same host’s IP address, with 372 of them sharing a single IP and another 320 sharing a different one.

In their phishing scams, the hackers used a variety of tokens, including WETH, USDC, DAI, UNI, etc. In addition, the hackers attempt to coerce their victims into doing Seaport and Permit signatures and engaging in other approving actions.

SlowMist’s report also revealed that North Korean hackers and Eastern Europe seem to be cooperating with phishing NFT users. Users, please beware of phishing scams and don’t click on any time of link without the necessary information about it!