The notorious Lazarus Group of North Korea, known for instigating cyberattacks, has once again drawn attention after launching two consecutive attacks on the NFT industry. Around 500 phishing domains have been developed by the group, who are utilizing them to deceive unwary victims who are also devoted NFT buyers.
On December 24, the blockchain security company SlowMist published a report outlining the tactics used by North Korean Advanced Persistent Threat (APT) groups to separate NFT investors from their NFTs, including fraudulent websites impersonating various NFT-related platforms and projects. These fraudulent websites, which imitate well-known NFT markets like OpenSea, X2Y2, and Rarible, include one that pretends to be a World Cup project and others that counterfeit other well-known NFT projects.
According to SlowMist, one of the tactics employed by fake websites was to provide “malicious Mints,” which include tricking consumers into thinking they are minting a valid NFT by linking their wallet to the website. But since the NFT is basically a scam, the victim’s wallet is now open to the hacker who has now gained access to it.
The report also mentioned that a large number of phishing websites shared the same Internet Protocol (IP), with 372 NFT phishing websites sharing a single IP and another 320 NFT phishing websites using a different IP. SlowMist revealed that the phishing campaign had been underway for some months, with the first registered domain name coming roughly seven months ago.
Other phishing tactics employed included capturing visitor data and storing it on external sites and tying photos to specific projects. Once the hacker had the visitor’s data, they would then use a wide range of attack scripts to target the victim, giving them access to their plug-in wallets, authorizations, and access records as well as sensitive information like their approve record and sigData. The hacker could then access the victim’s wallet using all this information, compromising all of their digital assets.
Read More: Meta takes down 40 phishing accounts by CryperRoot Risk Advisory
As the research only looked at a tiny percentage of the materials and just “some” of the phishing traits of the North Korean hackers were recovered, SlowMist emphasized that this is only the “tip of the iceberg.” Hopefully, more information regarding these attacks will surface in the coming weeks.