Nearly 500 phishing domains are being used by North Korean hackers to steal NFTs.

The hackers made fake versions of NFT markets, NFT projects, and a DeFi platform.

According to reports, hackers associated with North Korea's Lazarus Group are behind a massive phishing campaign that targets NFT investors by creating nearly 500 phishing domains.

On December 24th, blockchain security firm SlowMist published a report detailing the methods North Korean Advanced Persistent Threat (APT) groups have used to separate NFT investors from their NFTs, such as the use of decoy websites masquerading as a variety of platforms and projects associated with NFTs.

These sites include ones that pretend to be legitimate NFT marketplaces like OpenSea, X2Y2, and Rarible, as well as others that pretend to be related to the World Cup.

One method, according to SlowMist, was for these fake sites to offer "malicious Mints," which would trick victims into thinking they were minting a real NFT by linking their wallets to the fake sites.

However, the NFT is fake, leaving the victim's wallet open to attack from the hacker who gained access to it.

The report also found that many of the phishing websites shared an IP address, with 372 NFT phishing websites sharing a single IP and another 320 NFT phishing websites linked to a separate IP.

According to SlowMist, the phishing campaign has been going on for a long time; the earliest registered domain name dates back to around seven months ago.

Phishers also linked images to target projects and recorded visitor data, both of which were stored on external sites.

The hacker would run a series of attack scripts on the victim just before stealing their data, giving them access to sensitive information like the visitor's approve record and sigData as well as their access records, authorizations, and plug-in wallet usage.

The hacker can then use this data to access the victim's wallet and steal their digital assets.

In spite of this, SlowMist stressed that this is only the "tip of the iceberg," as the analysis only examined a subset of the materials and extracted "some" of the phishing characteristics of the North Korean hackers.

For instance, SlowMist brought attention to the fact that a single phishing address managed to steal 1,055 NFTs and 300 Ether (at the time, worth $367,00) by using phishing techniques.

Prevailion had previously reported on a North Korean APT group responsible for a phishing campaign against Naver on March 15.

In 2022, North Korea has been at the center of numerous incidents involving the theft of cryptocurrency.

An article published on December 22 by the National Intelligence Service (NIS) of South Korea claims that North Korea has stolen $620 million worth of cryptocurrencies this year.

Japan's National Police Agency issued a warning to the country's crypto-asset businesses in October, telling them to be wary of a North Korean hacking group.