North Korea-linked NFT phishing campaign targeting OpenSea, X2Y2 and Rarible clients

Researchers have uncovered a new phishing marketing campaign involving North Korea-related hackers targeting NFT users buying tokens at structures like OpenSea, X2Y2, and Rarible.

[{"selector":"#anim-d851ebb3-1891-4329-8968-b02848708bf9 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(10.777366682947797%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-bab7c3e1-4643-4b6a-8f60-0a312f59d873","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}]

Customers would first purchase legitimate search NFTs on these websites, and those NFTs could then direct the customer to fraudulent NFT-related websites to complete the minting technique.

[{"selector":"#anim-839dd903-e508-4d47-80eb-02ef94a6d0a6 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-21.189903611325466%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] [{"selector":"#anim-787501f5-420b-483c-9dba-7cd359cf942b","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}]

But, according to a report by blockchain advocacy firm SlowMist, these websites used the minting technique to try to extract valuable data, including IP addresses, authorizations, and plugin wallet usage along the way.

[{"selector":"#anim-eeb6966f-7ca6-4a94-8d7a-d1b9245d77c8","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] [{"selector":"#anim-b43d6cf0-5b44-47ba-b5d1-6068078ab136 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(2.3046074341329224%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

This reportedly involved tricking clients into performing authorization activities that consisted of submitting their Seaport signature,

[{"selector":"#anim-86d33d6a-c29b-4bdc-9700-f9c2e5354533","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] [{"selector":"#anim-d14b06d7-7672-4cfb-90f3-fecd32a93157 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(-3.552713678800501e-15%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

OpenSea, X2Y2 and Rarible Now did not respond to Decrypt's request for comment.

[{"selector":"#anim-f4f25d77-0034-49fa-8420-2f7ba16381b6","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] [{"selector":"#anim-9c1994a9-8099-4db6-9e1c-3ff7b1e6b3ad [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(8.903042042435132%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

The researchers revealed that there were more than 500 domains in general circling around these “rogue mint” styles

[{"selector":"#anim-d5855613-c027-4dd2-a029-3c61155a216f","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] [{"selector":"#anim-93e46a4a-80be-408d-9bdf-970d494ca302 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

and the campaign has reportedly been ongoing for several months, with the main area being tested more than seven months ago.

[{"selector":"#anim-e9daaee5-d7d5-4980-aad8-ca8fcb72b81a","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] [{"selector":"#anim-1d3a297b-de49-4b32-a855-683b995c75e2 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

It has been said that the vast majority of these domain names have used the same IP address.

[{"selector":"#anim-928b57ae-d2c8-472a-939d-f2c47ff65e6f","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] [{"selector":"#anim-a867a724-d4d2-4d75-9b64-8cad4d16dc1e [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(25%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

Need More Stories

[{"selector":"#anim-54c858cf-e308-4f7a-982a-ac1e6b6be829","keyframes":{"transform":["scale(1)","scale(1.5)","scale(0.95)","scale(1)"],"offset":[0,0.33,0.66,1]},"delay":0,"duration":1450,"easing":"ease-in-out","fill":"both","iterations":1}] [{"selector":"#anim-8a8c61ca-86c8-4476-995c-cf3d93f64cdc [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(-3.552713678800501e-15%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] Learn more