- Phishing tactics by North Korean hackers revealed by SlowMist.
- North Korea is listed as one of the countries with an active cryptocurrency crime in 2022.
- The North Korean Advanced Persistent Threat (APT) group has stolen NFTs in the guise of phishing websites.
While the world was celebrating the festive season, a North Korean Advanced Persistent Threat (APT) group was gearing up to commit one of the most heinous crimes known in the industry by stealing NFT (Non-Fungible Token) projects from NFT investors, using 500 malicious phishing websites.
The crypto industry has experienced a lot of scams and theft this year, and it looks like hackers are not closing for the year as the North Korean APT group, which has been linked to the cybercrime group ‘Lazarus Group,’ has been discovered by SlowMist, a Blockchain security firm.
SlowMist released a report, alerting everyone about the tactics these criminals used to rob victims of their NFTs worth $360,000. The Blockchain security firm explained that the cyber-criminals created convincing decoy websites, emulating NFT projects and popular NFT marketplaces like Opensea, Rarible, X2Y2, and more.
One of the tactics employed by the hackers was tricking unknowing NFT investors and traders into interacting with these pseudo websites offering “malicious minting.” With this, victims assumed they would be minting a genuine NFT, whereas they were giving access to their details by connecting their wallets to phishing websites.
“Upon further investigation, we found that one of the techniques used in this phishing attack involved creating fake NFT-related decoy websites with malicious mints,” SlowMint had written.
The hackers targeted NFT investors, using almost 500 phishing websites to lure their victims into their scheme, and made away with 1,055 NFTs (Non-Fungible Tokens).
According to SlowMist, the North Korean hackers had deployed and operated many phishing websites, some pretending to be projects related to the World Cup. The NFTs being minted by investors are fraudulent because they leave the investors’ wallets easily accessible for the hackers to cart away everything in the investor’s wallets.
SlowMist reported that about 372 phishing websites were registered to a single Internet Protocol (IP), while 320 NFT phishing websites were registered to another IP. The Blockchain security firm also affirmed that after conducting a background check on the phishing websites, the result showed that the earliest registration of the domains could be traced back to seven months ago.
SlowMist recognized three traits to have been commonly utilized by North Korean hackers, and the security firm explained these traits to be:
- The phishing domains were built to store victims’ data on external servers. The cyber-criminals then record the information to an external website using an “HTTP GET” request.
- The phishing domain requested an NFT item price list.
- As part of the phishing site template, there was a file “imgScr.js” connecting images to the specified project containing lists of the target and the hosting direction of the image documents used on their corresponding phishing websites.
Several attack scripts were executed against the victims when the hackers were about to retrieve their data; these attack scripts enabled the hackers to access the victim’s authorizations, sigData, records, and use of plug-in wallets.
2022 has witnessed a surge in crypto crimes from North Korea as the Advanced Persistent Threat group was identified to have drained 1,055 NFTs worth 300 ETH from one phishing website, using its tactics.
Earlier in September, a Twitter user, PhantomXSec, had accused the North Korean APT group of being the mastermind behind NFT and crypto phishing campaigns targeting several SOL and ETH projects.
“North Korean APT group responsible for crypto and NFT phishing campaigns spanning 190 domains… campaign activity began in April and is ongoing,” PhantomXSec said.
Last year, Prevailing also called out the North Korean APT group for running a phishing campaign,” North Korean APT #Lazarus is running a #spearphishing campaign targeting defense companies with advanced malware called #ThreatNeedle.”
How to Avoid Phishing Websites?
1. Be Updated About The Latest Phishing Scams
New phishing scam methods are being developed constantly, and one of the best ways to get ahead of these scams and protect yourself and your digital assets is to learn about every new and latest phishing scam method.
2. Download an Anti-Phishing Toolbar
Install a practical internet browser that allows for the customization of anti-phishing toolbars. These toolbars could run a background check on visited websites and compare them against known phishing sites.
Conclusion
SlowMist, a Blockchain security firm, has uncovered the phishing tactics being employed by the North Korean Advanced Persistent Threat group to steal NFTs from NFT investors and projects. What does this dark cloud over the North Korean crypto industry mean for its users?
