Hackers from North Korea are using nearly 500 phishing domains to steal NFTs.

The hackers created phony websites that imitated NFT marketplaces, NFT projects, and even a DeFi platform.

According to reports, hackers affiliated with North Korea's Lazarus Group are behind a massive phishing campaign aimed at investors in nonfungible tokens (NFT), employing nearly 500 phishing domains to deceive victims.

SlowMist, a blockchain security company, published a report on December 24 detailing the methods North Korean Advanced Persistent Threat (APT) groups have employed to separate NFT investors from their NFTs, including the use of decoy websites masquerading as a variety of NFT-related platforms and projects.

These fake websites include a site pretending to be a World Cup-related project, as well as sites impersonating popular NFT marketplaces such as OpenSea, X2Y2, and Rarible.

One of the techniques employed, according to SlowMist, was to have these dummy websites offer "malicious Mints," which deceives victims into believing they are minting a legitimate NFT by connecting their wallet to the website.

Nevertheless, the NFT is fraudulent, leaving the victim's wallet vulnerable to the hacker who now has access to it.

The report also revealed that many phishing websites operated under the same Internet Protocol (IP), with 372 NFT phishing websites operating under a single IP and another 320 NFT phishing websites operating under a different IP.

According to SlowMist, the phishing campaign has been ongoing for several months, with the earliest domain name being registered roughly seven months ago.

 In addition to recording and storing visitor information on external sites, phishers also linked images to target projects.

After the hacker was about to obtain the visitor's data, they would run various attack scripts on the victim, granting them access to the victim's access records, authorizations, and use of plug-in wallets, as well as sensitive data including the victim's approve record and sigData.

All of this information enables the hacker to access the victim's wallet, thereby exposing all of their digital assets.

SlowMist emphasized, however, that this is merely the "tip of the iceberg," as the analysis only examined a small portion of the materials and extracted "some" of the phishing characteristics of the North Korean hackers.

Using phishing techniques, SlowMist revealed that a single phishing address was able to acquire 1,055 NFTs and earn 300 Ether, worth $367,000.

It added that the same North Korean APT group was also responsible for the March 15 Prevailion-documented Naver phishing campaign.

In 2022, North Korea was at the center of numerous cryptocurrency theft crimes.

According to a report published by the National Intelligence Service (NIS) of South Korea on December 22, North Korea stole $620 million worth of cryptocurrencies in 2018.

Japan's National Police Agency issued a warning to the nation's crypto-asset businesses in October, advising them to be wary of the North Korean hacking group.