The North Korea-based Lazarus threat actor group has been linked with a massive phishing campaign targeting NFT investors. The phishing campaign which is active for the last seven months is only the tip of the iceberg, according to researchers.

Diving into details of the attack

The campaign was first noticed by researchers in September who later followed up with an in-depth analysis.
  • It was found that the attackers set up nearly 500 decoy sites with malicious Mints.
  • These sites impersonate well-known NFT marketplaces such as OpenSea, X2Y2, and Rarible to dupe victims. Besides, one of these sites pretends to be a project associated with the World Cup.
  • During the early stage of the campaign, the APT monitored and recorded user data via a domain name ‘thedoodles[.]site.’

 Attack tactics

The attack begins by sending out spam emails laden with links to legitimate-looking phishing pages that look legitimate.
  • Once an investor clicks on the link, they are taken to a fake site that has the same branding and even the same layout.
  • The site asks for personal information and investment details from victims, which are later transferred to the attackers
  • This enables the Lazarus group to achieve complete access to victims’ assets, including their approve records and sigData.

NFT-related hacks a major security concern

  • Morphisec Labs observed a new wave of NFT-001 attacks a couple of months ago that delivered Remcos RAT in the first stage and Eternity Stealer in the second stage. The campaign was designed primarily to target users in crypto and NFT communities on Discord and other forums. 
  • In another incident, the hackers dropped malicious NFTs pretending to be Phantom security updates to target Solana cryptocurrency owners. The ultimate purpose of the attackers was to steal funds from users.
  • In July, crooks stole 314 NFTs and $375,000 worth of crypto assets in one of the biggest hacks ever by hacking the popular Premint NFT.


As researchers continue to monitor Lazarus' activities, it is advised that NFT users should strengthen their understanding of cybersecurity and enhance their ability to detect phishing attacks.
Cyware Publisher