The hackers constructed fake websites that looked like NFT projects, NFT markets, and even a DeFi platform.

Nearly 500 phishing sites are being used by hackers connected to North Korea’s Lazarus Group in a large phishing effort that targets investors in nonfungible tokens (NFT).

On December 24, the blockchain security company SlowMist published a study outlining the methods used by North Korean APT organizations to separate NFT investors from their NFTs, including bogus websites impersonating various NFT-related platforms and initiatives.

These fraudulent websites include one that presents itself as a World Cup initiative and others that mimic popular NFT markets like OpenSea, X2Y2, and Rarible.

One of the strategies, according to SlowMist, is to have these fake websites provide “malicious Mints,” which trick the users into believing they are minting real NFTs by linking their wallets to the website.

The NFT is essentially a scam, and as a result, the victim’s wallet is open to attack by the hacker who now has access to it.

The analysis also showed that a large number of phishing websites shared the same Internet Protocol (IP), with 372 NFT phishing websites sharing a single IP and another 320 NFT phishing websites using a different IP.

According to SlowMist, the phishing campaign has been going on for a while; the earliest registered domain name was made roughly seven months ago.

Other phishing techniques utilized included storing visitor data on external websites and recording it, as well as attaching photos to the projects that were being targeted.

The hacker would then utilize other attack scripts on the victim after obtaining the visitor’s data, giving them access to the victim’s access records, authorizations, and usage of plug-in wallets, as well as sensitive data like the victim’s, approve records and sigData.

The hacker may then access the victim’s wallet using all this information, revealing all of their digital assets.

SlowMist stressed that this is simply the “tip of the iceberg,” since the research only considered a tiny percentage of the materials and only “some” of the North Korean hackers’ phishing traits.

🚨SlowMist Security Alert🚨

North Korean APT group targeting NFT users with large-scale phishing campaign

This is just the tip of the iceberg. Our thread only covers a fraction of what we've discovered.

Let's dive in pic.twitter.com/DeHq1TTrrN

— SlowMist (@SlowMist_Team) December 24, 2022

For instance, SlowMist said that one phishing address alone was able to benefit 300 Ether and 1,055 NFTs, totaling $367,000, using its phishing techniques.

It also stated that the Naver phishing effort, which was originally reported by Prevailing on March 15, was carried out by the same North Korean APT outfit.

In 2022, North Korea was the target of many thefts of cryptocurrencies.

The National Intelligence Service (NIS) of South Korea said on December 22 that North Korea had stolen cryptocurrency worth $620 million just this year.

The National Police Agency of Japan issued a warning to the nation’s crypto-asset enterprises in October, cautioning them to be wary of the North Korean hacking outfit.