North Korea Becomes Epicentre for NFT Thefts via 500 Phishing Domains: SlowMist
North Korea’s notorious Lazarous Group, infamous for triggering cyber-attacks, has yet again come under the limelight, for striking the NFT sector with back-to-back strikes. The group of hackers have launched around 500 phishing domains using which, they are duping unsuspecting victims, who are also enthusiastic NFT buyers. The claims against the Lazarous Group have been noted in the recent report by SlowMist, a blockchain security firm. The report has highlighted that this NFT stealth campaign has been going on for months with the earliest malicious domain having been registered around May-June.
NFTs or non-fungible tokens are blockchain-built digital collectibles, most of which are also functional in compatible metaverse experiences. More often than not, NFTs are valuable and their blockchain-based creation transfers the complete ownership of these virtual collectibles to the buyers and are held in crypto wallets.
The Lazarous Group has been deploying ‘decoy websites’ pretending to be legit NFT projects, to get them to engage with these infected sites.
“Phishing websites will record visitor data and save it to external sites. The hacker records visitors’ information to an external domain through an HTTP GET request. Our investigation revealed that the hackers utilised multiple tokens, such as WETH, USDC, DAI, and UNI, etc. in their phishing attacks,” said the official post from SlowMist.
One technique involved creating fake NFT-related websites with malicious Mints to steal NFTs. They used nearly 500 different domain names and sold them on platforms such as @OpenSea, @X2Y2, and @rarible.
One of the earliest incidents can be traced back to 7 months ago. pic.twitter.com/4COsMuR80x
— SlowMist (@SlowMist_Team) December 24, 2022
This year, despite not having been ideally profitable for the NFT industry, did manage to see several scammers flocking to the sector to conduct attacks.
Last week, for instance, anti-theft platform Harpie said that a new kind of scam is looming over the visitors of OpenSea, that offers ‘gasless sales’ on the platform and eventually redirects the victims to phishing sites.
As part of the reportedly ongoing scam, hackers are tricking people to sign an unreadable message. Gasless NFTs are likely to attract first-time buyers signature request.
In its report, SlowMist has said that North Korea’s Advanced Persistent Threat (APT) groups have been leaving the wallets of the victims susceptible to more hack attacks.
:rotating_light:SlowMist Security Alert:rotating_light:
North Korean APT group targeting NFT users with large-scale phishing campaign
This is just the tip of the iceberg. Our thread only covers a fraction of what we’ve discovered.
Let’s dive in pic.twitter.com/DeHq1TTrrN
— SlowMist (@SlowMist_Team) December 24, 2022
Not just traditional phishing, but scammers have been using the ice-phishing technique also, to steal themselves digital collectibles, useable in the Web3 sector.
Last week, 14 NFTs of the expensive and famous Bored Apes Yacht Club (BAYC) collection, were stolen in an ice-phishing attack.
Ice phishing scams are cyber-attacks that manoeuvre Web3 users into manually signing and approving permissions that allow notorious actors to spend their tokens.
In traditional phishing scams, hackers manage to steal private keys or passwords by luring in unsuspecting people into clicking on malicious links or having them visit infected fake websites.