NFT investors should beware. Hackers linked to North Korea’s Lazarus Group are conducting a massive phishing campaign, impersonating NFT marketplaces, NFT projects and even a DeFi platform
Blockchain security firm SlowMist released the results of an investigation on North Korean Advanced Persistent Threat (APT) groups and the tactics they employ to target NFT users.
The study revealed that North Korean hackers from Lazarus Group have deployed nearly 500 of decoy websites disguised as NFT platforms and projects. Such fake websites use household brand names to mislead investors. For instance, the security firm discovered one pseudo resource pretending to be associated with the World Cup, as well as numerous sites impersonating large NFT marketplaces such as OpenSea, X2Y2 and Rarible.
Some of these deceptive websites employ the “malicious Mints” scheme. Victims think they are minting a legitimate NFT, and connect their wallet to the website. However, the NFT is fraudulent, so the hacker gets full access to the victim’s wallet.
Other phishing tactics include recording visitor data and saving it to external sites or linking images to target projects. Upon obtaining the visitor’s data, hackers run various attack scripts on the victim. As a result, malefactors get access to the victim’s access records, authorizations, sigData, and the use of plug-in wallets.
Interestingly, many of the discovered phishing websites operated under the same IP. Namely, one of the fraudsters’ IPs hosted 372 NFT phishing websites and another – 320. The earliest registered phishing domain of this kind appeared about seven months ago.
The ill gains of one phishing address alone were 1,055 NFTs and 300 ETH, worth $367,000.
We have previously reported that out of $620 million in crypto stolen by North Korean hacking groups this year, none affected South Korean users, thanks to the enhanced KYC policies.