Nearly 500 phishing sites are being used by hackers connected to North Korea’s Lazarus Group in a large phishing effort that targets investors in non-fungible tokens (NFT).
On December 24, blockchain security company SlowMist published a study outlining the methods used by North Korean APT organizations to separate NFT investors from their NFTs, including bogus websites impersonating various NFT-related platforms and initiatives.
These bogus websites, which impersonate well-known NFT marketplaces like OpenSea, X2Y2, and Rarible, include one that pretends to be a World Cup project and others that counterfeit other well-known NFT projects.
In order to trick the victims into believing that they are minting a genuine NFT by linking their wallet to the website, one of the strategies, according to SlowMist, is to have these bogus websites offer “malicious Mints.” But since the NFT is basically a scam, the victim’s wallet is now open to the hacker who has now gained access to it.
The analysis also showed that a large number of phishing websites shared the same Internet Protocol (IP), with 372 NFT phishing websites sharing a single IP and another 320 NFT phishing websites using a different IP.
According to SlowMist, the phishing campaign has been going on for a while; the earliest registered domain name was made roughly seven months ago.
Along with attaching photographs to target projects, other phishing techniques utilized included gathering visitor information and saving it to external websites.
The hacker would then employ different attack scripts on the victim after obtaining the visitor’s data, giving them access to the victim’s access records, authorizations, use of plug-in wallets, and sensitive data such as the victim’s approved record and sigData. The hacker can then access the victim’s wallet using all this information, exposing all of their digital assets.
According to SlowMist, the phishing campaign has been going on for a while; the earliest registered domain name was made roughly seven months ago. Along with attaching photographs to target projects, other phishing techniques utilized included gathering visitor information and saving it to external websites.
In order to access the victim’s access records, authorizations, use of plug-in wallets, and sensitive data like the victim’s approved record and sigData, the hacker would first attempt to obtain the visitor’s data. After this attempt, the hacker would then proceed to run various attack scripts on the victim. The hacker can then access the victim’s wallet using all this information, exposing all of their digital assets.
As the research only looked at a small percentage of the materials and just “some” of the phishing traits of the North Korean hackers were recovered, SlowMist stressed that this is only the “tip of the iceberg.” For instance, SlowMist noted that one phishing address was able to profit 1,055 NFTs and 300 ETH, totaling $367,000, through its phishing techniques.
On the other hand, North Korean IT specialists “target freelance contracts from firms situated in wealthier nations,” according to a 16-page US warning published in May. They commonly assume the identities of East European, Chinese, South Korean, or Japanese teleworkers with US addresses.