Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime
North Korean Hackers Steal NFTs via Phishing Websites
APT Groups Use 500 Decoy Domains of Popular NFT, DeFi PlatformsNorth Korean attackers are using phishing websites to impersonate popular non-fungible token platforms and decentralized finance marketplaces to steal digital assets worth thousands of dollars.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The attackers set up nearly 500 decoy sites, including one of a project associated with the World Cup, and NFT marketplaces OpenSea, X2Y2 and Rarible, blockchain security firm SlowMist says. They made off with $365,000 by stealing 1,055 NFTs with just one of those phishing addresses, it says. It did not specify the total value of the stolen assets.
The phishing campaign, active for at least seven months now, is only "the tip of the iceberg," SlowMist says.
The country's advanced persistent threat groups have been on the forefront of cryptocurrency-related heists this year. In September, blockchain analysis company Chainalysis estimated that North Korea-linked groups had stolen about $1 billion of cryptocurrency from DeFi protocols this year, including $600 million from the Ronin Network.
Attack Tactics
In some instances, the attackers created fake NFT-related websites with malicious mints designed to deceive victims. The users connected their wallets to the decoy websites in the hopes of creating an NFT, but instead left their wallets vulnerable, giving the attacker complete access to the assets in them.
The attackers also recorded visitor data and used it to run various attack scripts on the victim, the company says. This enabled the hackers to access the victims' access records, authorizations and use of plug-in wallets, as well as sensitive data such as the victim's approve record and sigData. "All this information then enables the hacker access to the victim's wallet, exposing all their digital assets," SlowMist says.
The adversaries operated predominately under two IP addresses. One hosted 372 NFT phishing websites, and the other hosted 320.