Approximately 500 phishing domains are apparently being used by hackers affiliated with North Korea’s Lazarus Group to deceive victims in a large phishing effort targeting investors in non fungible tokens (NFT).
North Korean Advanced Persistent Threat (APT) groups
On December 24, the blockchain security company SlowMist published a report outlining the strategies employed by North Korean Advanced Persistent Threat (APT) groups to separate NFT investors from their NFTs. These strategies included the use of dummy websites impersonating various NFT-related platforms and projects.
These bogus websites, which imitate well-known NFT marketplaces like OpenSea, X2Y2, and Rarible, include one that pretends to be a World Cup project and others that counterfeit other well-known NFT projects.
One technique involved creating fake NFT-related websites with malicious Mints to steal NFTs. They used nearly 500 different domain names and sold them on platforms such as @OpenSea, @X2Y2, and @rarible.
One of the earliest incidents can be traced back to 7 months ago. pic.twitter.com/4COsMuR80x
— SlowMist (@SlowMist_Team) December 24, 2022
One of the strategies is to have these fake websites provide “malicious mints,” which trick the users into believing they are minting real NFTs by linking their wallets to the website.
But since the NFT is basically a scam, the victim’s wallet is now open to the hackers who have now gained access to it.
In addition, the analysis showed that many of the phishing websites shared the same Internet Protocol (IP), with 372 NFT phishing websites sharing a single IP and another 320 NFT phishing websites using a different IP.
One of the earliest registered domain names was roughly seven months ago, according to SlowMist, who said that the phishing campaign has been going on for a while.
Hackers collected visitor’s data on external websites
The use of visitor data collection and data storage on external websites, the use of an HTTP request path for the NFT item price list, and the connecting of photos to target projects were additional unique phishing techniques employed by the group.
Analyzing the code of behavior, SlowMist discovered that once the hacker has the visitor’s data, they will now utilize a variety of attack scripts to target the victim, giving them access to their plug-in wallets, approvals, and records, as well as sensitive information like the victim’s approve record and sigData.
With access to the victim’s wallet made possible by all this information, the hacker can then see all of their digital assets.
SlowMist’s research on the phishing scam
As the research only examined a small percentage of the materials and just some of the phishing traits of the North Korean hackers were recovered, SlowMist stressed that this is only the “tip of the iceberg” as it took to Twitter to share a thread discussing the issue.
https://twitter.com/SlowMist_Team/status/1606651673023242241
SlowMist in his thread said that there were multiple attack vectors, but their focus would be on NFT phishing for confidentiality and security reasons. It made reference to a tweet posted by a Twitter user with the account name PhantomXsec on the 4th of September, which pointed at the North Korean APT group as being responsible for crypto phishing and campaigns spanning over 190 domains.
For instance, one phishing account was able to benefit 1,055 NFTs and earn almost 300 Ether by selling it, totaling $367,000 through its phishing techniques. It also stated that the Naver phishing operation, which was originally reported by Prevailion on March 15, was carried out by the same North Korean APT organization.
In 2022, North Korea served as the focal point for a number of cryptocurrency theft activities. The National Intelligence Service (NIS) of South Korea reported on December 22 that North Korea had stolen cryptocurrencies worth $620 million just this year.
Japan’s National Police Agency issued a warning to the nation’s crypto-asset enterprises in October, recommending that they exercise caution in the face of the North Korean hacking organization. SlowMist advocates enhancing security awareness and the capacity to spot such dangers if one wants to avoid falling victim to phishing attempts.