Threat actors linked to the well-known North Korean Lazarus Group APT are reportedly behind a massive phishing campaign targeting nonfungible token (NFT) investors that used nearly 500 phishing domains to dupe victims, according to a report from blockchain security firm SlowMist.
The researchers said that one of the techniques used in the phishing campaign involved creating fake NFT-related websites with malicious mints. Such sites lure victims under the pretext of minting legitimate NFTs. Once they connect their wallets to the website, the hackers get access to the wallets and can steal the funds stored there.
These NFTs were sold on platforms such as OpenSea, X2Y2, and Rarible. The earliest domain in operation was registered in May 2022.
The researchers discovered several unique NFT phishing traits used by the North Korean groups. For instance, the phishing websites would record visitor data and save it to external sites. Then, they would run various “attack scripts” to access sensitive data such as victim’s access records, wallet addresses, authorizations, approve records, and sigData. Using this information, the North Korean hackers can breach users’ wallets.
SlowMist’s investigation revealed that the hackers utilized multiple tokens, such as WETH, USDC, DAI, and UNI, etc. in their phishing attacks. It appears that this campaign proved highly profitable. In one case, hackers made a profit of 300 ETH worth over $367,000 from a single victim.
Earlier this week, South Korea’s National Police Agency revealed that North Korean state-backed hackers have targeted at least 892 foreign policy experts from South Korea to steal their personal data and email lists as well as carried out ransomware attacks against online retailers.