Have recently discovered a phishing campaign linked to north korean hackers that targeted nft users. the hackers managed to capture around 1,055 nfts and made a profit of approximately 300 ethereum, or $366,000. the campaign has been ongoing for a number of months, with the first domain appearing to have been created over seven months ago.
Phishing campaign took place on websites such as opensea, x2y2, and rarible, where users were tricked into purchasing legitimate-looking nfts. the nfts would then direct the buyer to fraudulent nft-related websites to complete the minting process. the hackers used tokens such as wrapped ethereum (weth), usd coin (usdc), dai, and uniswap (uni) to facilitate further illicit transfers.
Fraudulent websites used the minting process to try to extract valuable data, including ip addresses, authorizations, and the use of plug-in wallets. sources speaking to the associated press alleged that north korea had pivoted towards cybercrime as a way of extracting revenues in the wake of u.n. sanctions imposed in 2016 and 2017. users were duped into carrying out authorizing activities such as sending their seaport signature, a type of digital signature used to verify nft contracts made on opensea. there were over 500 domains in total running these types of “malicious mints.”