Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

North Korean Hackers Steal NFTs via Phishing Websites

APT Groups Use 500 Decoy Domains of Popular NFT, DeFi Platforms
North Korean Hackers Steal NFTs via Phishing Websites
Source: Shutterstock

North Korean attackers are using phishing websites to impersonate popular non-fungible token platforms and decentralized finance marketplaces to steal digital assets worth thousands of dollars.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

The attackers set up nearly 500 decoy sites, including one of a project associated with the World Cup, and NFT marketplaces OpenSea, X2Y2 and Rarible, blockchain security firm SlowMist says. They made off with $365,000 by stealing 1,055 NFTs with just one of those phishing addresses, it says. It did not specify the total value of the stolen assets.

The phishing campaign, active for at least seven months now, is only "the tip of the iceberg," SlowMist says.

The country's advanced persistent threat groups have been on the forefront of cryptocurrency-related heists this year. In September, blockchain analysis company Chainalysis estimated that North Korea-linked groups had stolen about $1 billion of cryptocurrency from DeFi protocols this year, including $600 million from the Ronin Network.

Attack Tactics

In some instances, the attackers created fake NFT-related websites with malicious mints designed to deceive victims. The users connected their wallets to the decoy websites in the hopes of creating an NFT, but instead left their wallets vulnerable, giving the attacker complete access to the assets in them.

The attackers also recorded visitor data and used it to run various attack scripts on the victim, the company says. This enabled the hackers to access the victims' access records, authorizations and use of plug-in wallets, as well as sensitive data such as the victim's approve record and sigData. "All this information then enables the hacker access to the victim's wallet, exposing all their digital assets," SlowMist says.

The adversaries operated predominately under two IP addresses. One hosted 372 NFT phishing websites, and the other hosted 320.


About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.