SlowMist investigation of North Korean APT shows huge phishing threats on the NFT

SlowMist has reported that a hacker group recently conducted a phishing attack from North Korea.SlowMist was established in 2018 as a blockchain security firm. It provides services such as security audits, red teaming, and security consultancy, to mention a few.

The attempt was to steal non-fungible tokens and sell them in a marketplace. It was a successful attempt, as the hacker group based in North Korea stole 1,055 non-fungible tokens. These were then sold in a marketplace like OpenSea to earn approximately $365,000, equivalent to 300 ETH.

One of the wallet addresses has been identified with the said hacker group, which is short for Advanced Persistent Threat. The group is known for accessing the internet network to steal funds or data, NFT in this case, and staying undetected for a long time. A phishing attack is identified as one where a bad actor misrepresents themselves as a legitimate organization. They then encourage users to sign a transaction and process the selling of their assets, and users end up losing their NFTs.

However, the report published by SlowMist has revealed that the North Korean attacking group targets the users of cryptocurrency and NFT through 500 different domain names. One wallet identified by SlowMist has been linked to the group.

It is not the first time crypto and NFT users have been scammed through a phishing attack. Thirty-Five Bored Apes NFTs were stolen in March in large quantities within one week. The theft of 29 Moonbirds followed this in May, the value of which stood at $1.5 million when they were stolen.

North Korean hackers are said to be sponsored by their respective government, which seeks funds to sponsor their nuclear program. The group is a part of a larger trend where only crypto-related businesses and individuals are targeted.

According to the UN, the North Korean hackers reportedly stole $2 billion in funds in 2019. Furthermore, it was found that the funds stolen by the hackers were being used to strengthen the country’s nuclear program. The US government has sanctioned Tornado Cash with a warning to all the hackers involved in a crypto assault.

The attack was earlier broken out by a Twitter user who goes under the name Phantom X. The user had said that the APT group targeted a dozen ETH and SOL projects spanning over 190 domains. SlowMist then noticed the incident for an immediate follow-up.

A further explanation reveals that the phishing website records the data of its visitors and saves it to an external site. Another way is by requesting an NFT item price list. The investigation is ongoing, with more details awaited by the community.


North Korean attackers have been identified earlier by several organizations. The recent attacks make it more evident that their involvement is causing much trouble for businesses and individuals in the crypto-related sphere.

However, a warning is given from the end of the police that the North Korean hackers are still active and have not yet eased up in their phishing attacks on the crypto market.

Roxanne Williams

Roxanne Williams has recently joined as a market reporter for CryptoNewsZ - the 24/7 crypto news site, where she produces recent stories, technical analysis and price updates on world's leading cryptocurrencies.

Related Articles

Back to top button