Hackers linked to North Korea’s Lazarus Group are reportedly behind a massive phishing campaign targeting nonfungible token (NFT) investors — utilizing nearly 500 phishing domains to dupe victims.
Blockchain security firm SlowMist released a report on Dec. 24,revealingthe tactics that North Korean Advanced Persistent Threat (APT) groups have used to part NFT investors from their NFTs, including decoy websites disguised as a variety of NFT-related platforms and projects.
Examples of these fake websites include a site pretending to be a project associated with the World Cup, as well as sites that impersonatewell-known NFT marketplacessuch as OpenSea, X2Y2 and Rarible.
SlowMist said one of the tactics used was having these decoy websites offer “malicious Mints,” which involves deceiving the victims into thinking they are minting a legitimate NFT by connecting their wallet to the website.
However, the NFT is actually fraudulent, and the victim’s wallet is left vulnerable to the hacker who now has access to it.
The report also revealed that many of the phishing websites operated under the same Internet Protocol (IP), with 372 NFT phishing websites under a single IP and another 320 NFT phishing websites associated with another IP.
An example phishing website Source: SlowMistSlowMist said the phishing campaign has been ongoing for several months, noting that the earliest registered domain name came about seven months ago.
Other phishing tactics used included recording visitor data and saving it to external sites as well as linking images to target projects.
After the hacker was about to obtain the visitor's data, they would then proceed to run various attack scripts on the victim, which would allow the hacker access to the victim’s access records, authorizations and use of plug-in wallets, as well as sensitive data such as the victims’ approve record and sigData.
All this information then enables the hacker access to the victim’s wallet, exposing all their digital assets.
However, SlowMist emphasized that this is just the “tip of the iceberg,” as the analysis only looked at a small portion of the materials and extracted “some” of the phishing characteristics of the North Korean hackers.
SlowMist Security Alert
— SlowMist (@SlowMist_Team)December 24, 2022
North Korean APT group targeting NFT users with large-scale phishing campaign
This is just the tip of the iceberg. Our thread only covers a fraction of what we've discovered.
Let's dive inpic.twitter.com/DeHq1TTrrN
For example, SlowMist highlighted that just one phishing address alone was able to gain 1,055 NFTs and profit 300 Ether, worth $367,000, through its phishing tactics.
It added that the same North Korean APT group was also responsible for the Naver phishing campaign that was previouslydocumentedby Prevailion on March 15.
North Korea has been at the center of various cryptocurrency theft crimes in 2022.
According to a news report published by South Korea’s National Intelligence Service (NIS) on Dec 22,North Korea stole $620 millionworth of cryptocurrencies this year alone.
In October, Japan’s National Police Agency sent out a warning to the country’s crypto-asset businesses advising them to be cautiousof the North Korean hacking group.
The private contact information of Ethereum co-founder Vitalik Buterin, shark tank host Kevin O'Leary and Mark Cuban are among those purportedly for sale.
400 million Twitter users’ data containing private emails and linked phone numbers have reportedly been up for sale on the black market.
Cybercrime intelligence firm Hudson Rock highlighted a “credible threat” via Twitter on Dec. 24 in which someone is supposedly selling a private database containing contact information of 400 million Twitter user accounts.
“The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin O'Leary, Vitalik Buterin & more,” Hudson Rock stated, before adding that:
“In the post, the threat actor claims the data was obtained in early 2022 due to a vulnerability in Twitter, as well as attempting to extort Elon Muskto buy the data or face GDPR lawsuits.”
Hudson Rock said that while it has not been able to fully verify the hacker’s claims given the number of accounts, it said that an “independent verification of the data itself appears to be legitimate.”
BREAKING: Hudson Rock discovered a credible threat actor is selling 400,000,000 Twitter users data.
— Hudson Rock (@RockHudsonRock)December 24, 2022
The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin O'Leary, Vitalik Buterin & more (1/2).pic.twitter.com/wQU5LLQeE1
Web3 security firm DeFiYield also had a look at 1,000 accounts given as a sample by the hacker and verified that the data is “real.” It also reached out to the hacker via Telegram and noted that they are activelywaitingfor a buyer there.
If found true, the breach could be a significant cause for concern for Crypto Twitter users, particularly those who operate under a pseudonym.
However, some users have highlighted that such a large-scale breach is hard to believe, given that the current amount of active monthly usersreportedlysits at around 450 million.
At the time of writing, the purported hacker still has a post up onBreachedadvertising the database to buyers. It also has a specific call to action forElon Musk to pay $276 millionto avoid having the data sold and face a fine from the General Data Protection Regulation agency.
If Musk pays the fee, the hacker says they will delete the data and it will not be sold to anyone else “to prevent a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing and other things.”
Hacker's database ad: BreachedThe breached data in question is understood to have come from the “Zero-Day Hack” on Twitter, in which an application programming interface vulnerabilityfrom June 2021 wasexploitedbefore it was patched in January this year. The bug essentially allowed hackers to scrape private info, which they then compiled into databases to sell on the dark web.
Alongside this supposed database, two others have previously been identified, with one consisting of around 5.5 million users and another thought to contain as many as 17 million users,accordingto a Nov. 27 report from Bleeping Computer.
The dangers of having such info leaked online includetargeted phishing attemptsvia text and email, sim swap attacks to get ahold of accounts and the doxing of private information.
There are some serious concerns with this.
— Haseeb Awan - efani.com (@haseeb)December 25, 2022
#1 - Identities of many pseudo accounts will be public, posing risks for them
#2 - With a phone number, it's super easy to find anyone's address and banking information.
#3 - Multiple phishing attempts via cellphone, physical, or email
People are being advised to take precautions such as making sure two-factor authentication settings are turned on for their various accounts, via an app and not their phone number, along with changing their passwords and storing them securely and also using a privateself-hosted crypto wallet.
https://cointelegraph.com/news/400m-twitter-users-data-is-reportedly-on-sale-in-the-black-market