North Korea-linked Phishing Scheme Targets NFT Platforms

Picture: Financial Times

Techspace - NFT users of OpenSea, X2Y2, and Rarible have recently been the primary target of a North Korea-linked phishing scheme. The perpetrators, believed to be Lazarus Group, used a web of over 500 fraudulent websites to extract key information from users during the minting process of  Non-Fungible Tokens (NFT).

Users would first purchase legitimate-looking NFTs on these websites, and these NFTs would then direct the buyer to fraudulent NFT-related websites to complete the minting process.

The blockchain security company, SlowMist has reported that these perpetrators exploited valuable user data such as IP addresses, authorizations, and plug-in wallets during a minting process of an NFT.

Tweet

This reportedly involved duping users into carrying out authorizing activities such as sending their Seaport signature, a type of digital signature used to verify NFT contracts made on OpenSea.

So far OpenSea, X2Y2, and Rarible have not made any comments regarding the breach of personal information of their users despite the serious situation.

Over 500 domains in total were discovered to be running these types of “malicious mints,” and it has been going on for several months, with the first domain appearing to be created over seven months ago.

The vast majority of these domains were said to have used the same IP address. Many of the phishing websites operated under the same Internet Protocol (IP), with 372 NFT phishing websites under a single IP and another 320 NFT phishing websites associated with another IP.

Examples of these fake websites include a site pretending to be a project associated with the World Cup, as well as sites that impersonate well-known NFT marketplaces such as OpenSea, X2Y2 and Rarible.

SlowMist said one of the tactics used was having these decoy websites offer “malicious Mints,” which involves deceiving the victims into thinking they are minting a legitimate NFT by connecting their wallet to the website.

However, the NFT is actually fraudulent, and the victim’s wallet is left vulnerable to the hacker who now has access to it. According to the report, the hackers were able to capture around 1,055 NFTs and made a profit of approximately 300 Ethereum, or $366,000, via their scheme.

Other phishing tactics used included recording visitor data and saving it to external sites as well as linking images to target projects.

After the hacker nearly obtain the visitor's data, they would then proceed to run various attack scripts on the victim, which would allow the hacker access to the victim’s access records, authorizations, and use of plug-in wallets, as well as sensitive data such as the victims’ approve record and sigData.

All this information then enables the hacker access to the victim’s wallet, exposing all their digital assets.

However, SlowMist emphasized that this is just the “tip of the iceberg,” as the analysis only looked at a small portion of the materials and extracted “some” of the phishing characteristics of the North Korean hackers.

East Asia Faces a Similiar Threat by North Korea

North Korea has been at the center of various cryptocurrency theft crimes in 2022. Crypto analysis firm Chainalysis estimates that North Korea stole approximately $1 billion in the first nine months of 2022 from decentralized crypto exchanges alone.

According to a news report published by South Korea’s National Intelligence Service (NIS) on Dec 22, North Korea stole $620 million worth of cryptocurrencies this year alone.

In October, Japan’s National Police Agency sent out a warning to the country’s crypto-asset businesses advising them to be cautious of the North Korean hacking group.

As with any transaction, exercising extreme caution even with the platform’s trusted reputation is always a good idea to better increase our chance to avoid falling into these phishing schemes.