Advertisement PDAX Banner

North Korean Hackers Use 500 Phishing Domains to Steal NFTs, Report Says

Lazarus Feature

Subscribe to our newsletter!

[newsletter_form type=”minimal”]
  • Hackers linked to North Korea’s Lazarus Group are behind a phishing campaign targeting NFT investors and stealing their NFTs through fake websites.
  • The campaign has used 500 domains and has been active for at least 7 months, according to blockchain security firm SlowMist.
  • SlowMist identified several traits of the phishing scams, including recording visitor data and requesting NFT item price lists, and recommends users strengthen their security knowledge to avoid falling victim to such attacks.

Blockchain security firm SlowMist recently revealed that hackers linked to North Koreaโ€™s Lazarus Group are behind a massive phishing campaign that uses 500 domains to dupe victims and target their NFTs.ย 

According to the security firm, North Korean Advanced Persistent Threat (APT) group targets NFT investors and steals their NFTs through websites that disguise as a variety of NFT-related platforms and projects.

โ€œUpon further investigation, we found that one of the techniques used in this phishing attack involved creating fake NFT-related decoy websites with malicious Mints. These NFTs were sold on platforms such as OpenSea, X2Y2, and Rarible,โ€ SlowMist explained.

Photo for the Article - North Korean Hackers Use 500 Phishing Domains to Steal NFTs, Report Says

Recently, during the FIFA World Cup Championships, a site that pretended to be associated with it emerged. And as per the investigation of the firm, โ€œby checking the registration information of these domain names, we found that the earliest registration date was traced back to 7 months ago.โ€

Advertisement PDAX Banner

There were also four traits of these phishing scams as identified by the firm, namely:

  • Phishing websites will record visitor data and save it to external sites. The hacker records visitorsโ€™ information to an external domain through an HTTP GET request. Although the domain names sending the request are different, the API interface of the request is โ€œ/postAddr.phpโ€. The general format is โ€œhttps://nserva.live/postAddr.php?mmAddr=…[Metamask]…&accessTime=xxx&url=evil.site”, where the parameter mmAddr records the visitorโ€™s wallet address, and accessTime records the visitorโ€™s visit Time, URL records the phishing website link currently visited by the visitor.
  • The phishing website will request an NFT item price list, usually, the HTTP request path is โ€œgetPriceData.phpโ€
  • There is a file โ€œimgSrc.jsโ€ linking images to the target project, which contains a list of target sites and the hosting location of the image files used on their corresponding phishing sites. This file may be part of the phishing site template.
  • The main domain name used by APT to monitor user requests is โ€œthedoodles.site,โ€ which was mainly used to record user data in the early days of APT activities.
Photo for the Article - North Korean Hackers Use 500 Phishing Domains to Steal NFTs, Report Says
LOOK: SlowMist shows an account where the hacker was able to receive a total of 1,055 NFTs and made off with a profit of approximately 300 ETH through their sales.

โ€œThe HTTPS certificate for this domain name was queried 7 months ago, indicating that the hacker organization had already begun targeting NFT users at that time,โ€ SlowMist clarified. 

Though, according to the blockchain security firm, it cannot include all the information that their investigation has found out for privacy reasons, it also revealed that there are NFT phishing site groups under the same IP of the host, with 372 NFT phishing sites under a single IP and 20 NFT phishing sites associated under a different IP address.

Photo for the Article - North Korean Hackers Use 500 Phishing Domains to Steal NFTs, Report Says

โ€œSlowMist advises users to strengthen their understanding of security knowledge and further enhance their ability to identify phishing attacks in order to avoid falling victim to such attacks. For additional security information, we recommend reading the โ€˜Blockchain Dark Forest Self-Help Handbook,โ€™โ€ SlowMist concluded. 

This article is published on BitPinas: North Korean Hackers Use 500 Phishing Domains to Steal NFTs, Report Says

Disclaimer: BitPinas articles and its external content are not financial advice. The team serves to deliver independent, unbiased news to provide information for Philippine-crypto and beyond.