Северокорейские хакеры похищают НФТ, используя почти 500 фишинговых доменов

Hackers linked to North Korea’s Lazarus Group are reportedly behind a massive phishing campaign targeting non-fungible token (NFT) investors — utilizing nearly 500 phishing domains to dupe victims.

Blockchain security firm SlowMist released a report on Dec. 24, revealing the tactics that North Korean Advanced Persistent Threat (APT) groups have used to part NFT investors from their NFTs, including decoy websites disguised as a variety of NFT-related platforms and projects.

Examples of these fake websites include a site pretending to be a project associated with the World Cup, as well as sites that impersonate well-known NFT marketplaces such as OpenSea, X2Y2 and Rarible.

SlowMist said one of the tactics used was having these decoy websites offer “malicious Mints,” which involves deceiving the victims into thinking they are minting a legitimate NFT by connecting their wallet to the website.

However, the NFT is actually fraudulent, and the victim’s wallet is left vulnerable to the hacker who now has access to it.

The report also revealed that many of the phishing websites operated under the same Internet Protocol (IP), with 372 NFT phishing websites under a single IP, and another 320 NFT phishing websites associated with another IP.

An example phishing website Source: SlowMist

SlowMist said the phishing campaign has been ongoing for several months, noting that the earliest registered domain name came about seven months ago.

Other phishing tactics used included recording visitor data and saving it to external sites as well as linking images to target projects.

After the hacker was about to obtain the visitor’s data, they would then proceed to run various attack scripts on the victim, which would allow the hacker access to the victim’s access records, authorizations, use of plug-in wallets, as well as sensitive data such as the victim’s approve record and sigData.

All this information then enables the hacker access to the victim’s wallet, exposing all their digital assets.

However, SlowMist emphasized that this is just the “tip of the iceberg,» as the analysis only looked at a small portion of the materials and extracted “some” of the phishing characteristics of the North Korean hackers.

Quote.

SlowMist Security Alert

North Korean APT group targeting NFT users with large-scale phishing campaign

This is just the tip of the iceberg. Our thread only covers a fraction of what we’ve discovered.

Let’s dive in pic.twitter.com/DeHq1TTrrN

— SlowMist (@SlowMist_Team) December 24, 2022

End of Quote.

For example, SlowMist highlighted that just one phishing address alone was able to gain 1,055 NFTs and profit 300 ETH, worth $367,000, through its phishing tactics.

Она добавила, что та же северокорейская APT-группа также ответственна за фишинговую кампанию Naver, которая была задокументирована Prevailion 15 марта.

Северная Корея была в центре различных преступлений по краже криптовалюты в 2022 году.

Согласно сообщению, опубликованному Национальной разведывательной службой Южной Кореи (NIS) 22 декабря, только в этом году Северная Корея украла криптовалюты на сумму 620 миллионов долларов.

В октябре Национальное полицейское агентство Японии разослало криптовалютным компаниям страны предупреждение, в котором рекомендовало им с осторожностью относиться к северокорейской хакерской группе.