DPRK hackers steal NFTs using phishing websites

by James · December 27, 2022

North Korean state-sponsored threat actors are finding new ways to steal cryptocurrency.

Hackers from the Democratic People’s Republic of Korea (DPRK) created hundreds of phishing websites, mimicking popular non-fungible token (NFT) platforms and decentralized financial markets (DeFi).

According to blockchain security firm SlowMist, Advanced Persistent Threat (APT) groups from North Korea created fake NFT-related decoy websites with malicious coins, and later sold the fakes on platforms such as OpenSea, X2Y2 and Rarible.

A “malicious coin” is a dangerous practice where users link their crypto wallets to a newly purchased NFT, believing it to be legitimate, thereby giving threat actors access to their funds.

“>

Researchers say the campaign developed by North Korean threat actors consisted of nearly 500 domain names, demonstrating the scale of the state-backed effort to raise funds through cybercrime.

The earliest domain in operation was registered in May 2022. Threat actors were likely trying to capitalize on the NFT craze, which shows how quickly DPRK hackers can adapt to new technology trends.

SlowMist researchers said attackers would also record who visited the fake websites they set up and run attack scripts against victims. The state-sponsored scam provided threat actors with sensitive data, such as authorization and access records, which enabled threat actors to breach crypto wallets.

According to the report, the scam was very profitable for hackers. For example, hackers made 300 Ethereum coins worth over $367k from a single victim.

North Korean hackers

North Korea uses cybercrime to finance its dictatorship, which runs a country largely closed off from the outside world.

While researchers at SlowMist do not specify the exact group behind the attack, the Lazarus Group is a financially motivated state-backed DPRK threat actor.

According to Chainalysis, North Korea launched at least seven attacks on cryptocurrency platforms that extracted nearly $400 million worth of digital assets last year. This year, researchers claim, North Korea-linked groups have stolen close to $1 billion worth of crypto from various DeFi protocols.

According to the FBI, DPRK hackers were behind the Ronin hack. Meanwhile, researchers believe Lazarus Groups was behind the $100 million hack of another crypto exchange, Harmony.

A UN panel of experts monitoring North Korea sanctions has accused Pyongyang of using stolen funds to support its nuclear and ballistic missile programs to circumvent sanctions.