Hackers linked to North Korea’s Lazarus Group are reportedly behind a massive phishing campaign targeting nonfungible token (NFT) investors — utilizing nearly 500 phishing domains to dupe victims.
Blockchain security firm SlowMist released a report on Dec. 24, revealing the tactics that North Korean Advanced Persistent Threat (APT) groups have used to part NFT investors from their NFTs, including decoy websites disguised as a variety of NFT-related platforms and projects.
Examples of these fake websites include a site pretending to be a project associated with the World Cup, as well as sites that impersonate well-known NFT marketplaces such as OpenSea, X2Y2 and Rarible.
SlowMist said one of the tactics used was having these decoy websites offer “malicious Mints,” which involves deceiving the victims into thinking they are minting a legitimate NFT by connecting their wallet to the website.
However, the NFT is actually fraudulent, and the victim’s wallet is left vulnerable to the hacker who now has access to it.
The report also revealed that many of the phishing websites operated under the same Internet Protocol (IP), with 372 NFT phishing websites under a single IP and another 320 NFT phishing websites associated with another IP.
An example phishing website Source: SlowMist
SlowMist said the phishing campaign has been ongoing for several months, noting that the earliest registered domain name came about seven months ago.
Other phishing tactics used included recording visitor data and saving it to external sites as well as linking images to target projects.
After the hacker was about to obtain the visitor’s data, they would then proceed to run various attack scripts on the victim, which would allow the hacker access to the victim’s access records, authorizations and use of plug-in wallets, as well as sensitive data such as the victims’ approve record and sigData.
All this information then enables the hacker access to the victim’s wallet, exposing all their digital assets.
However, SlowMist emphasized that…
..