North Korean Hackers Stole Over 1,000 NFTs

For years, it has been known within the blockchain community that North Korean hackers have been in operation, stealing digital assets from victims all over the world. These stolen assets, in the case of the Lazarus group, are reportedly being used to fund the country’s nuclear weapons program in light of its ongoing sanctions from the US. But it is not just cryptocurrency that is being targeted as NFTs have also been stolen by hacker groups from the country. 

The latest incident has been reported by SlowMist, a blockchain security company, and focuses on the activities of the North Korean ATP hacker group.

How SlowMist Operates

As per the report from SlowMist, which was published on December 24, 2022, the group has chosen phishing as its method of theft. Phishing is well-known, especially in the NFT and crypto space and refers to criminals replicating legitimate platforms, emails, and so on to get customers to give up their sensitive information. 

SlowMist was first ticked off to the activities of this group after  Twitter user PhantomXSec mentioned in September 2022 that the ATP group was behind attacks on dozens of Ethereum and Solana projects. More specifically, the ATP group had created dozens of fraudulent domain names to trick customers and steal their assets. 

In total, about 500 domain names were provided by PhantomXSec and SlowMist then began a more in-depth investigation into their activities. What was uncovered was a sophisticated network that used malicious minting and targeted major platforms. 

“Upon further investigation, we found that one of the techniques used in this phishing attack involved creating fake NFT-related decoy websites with malicious Mints. These NFTs were sold on platforms such as OpenSea, X2Y2, and Rarible. The North Korean APT group targeted Crypto and NFT users with a phishing campaign using nearly 500 different domain names,” the report said, noting that these sites were split between different IP addresses. 

It also found that the hacker group used the WETH, USDC, DAI, and UNI tokens in their activities and has copied popular sites such as the most recent World Cup to convince users to ‘approve’ actions that would lead to their assets being stolen.

And unfortunately, this group has been quite successful in its endeavours. After uncovering an asset wallet that is linked to the group, the report shows that over 1,055 NFTs had been stolen, as well as a profit of 300 ETH.

How Consumers Can Be Aware

It is already public knowledge that the amounts being lost to hackers have only grown over the years. And as this report shows, the tactics being used are only becoming more sophisticated. It seems that as digital assets evolve, so do the methods used to steal them, forcing users to be more vigilant than ever before. 

SlowMist, on its part, has advised NFT users to, “strengthen their understanding of security knowledge and further enhance their ability to identify phishing attacks in order to avoid falling victim to such attacks.” 


This site uses cookies to enhance user experience.