SlowMist Profile picture
Dec 24, 2022 11 tweets 8 min read Read on X
🚨SlowMist Security Alert🚨

North Korean APT group targeting NFT users with large-scale phishing campaign

This is just the tip of the iceberg. Our thread only covers a fraction of what we've discovered.

Let's dive in
On September 4, Twitter user PhantomXSec tweeted that the North Korean APT organization had conducted a large-scale phishing campaign targeting dozens of ETH and SOL projects.

The list of specific domain names is as follows:
Following up on @PhantomXSec investigation and here's what we found:

FYI: For confidentiality and security reasons, we're only covering a small portion of the phishing materials. There were multiple attack vectors but our focus will be directed towards NFT phishing.
Also, the same North Korean cyber actors responsible for the massive Naver phishing campaign first documented by @prevailion are also behind this campaign.

One technique involved creating fake NFT-related websites with malicious Mints to steal NFTs. They used nearly 500 different domain names and sold them on platforms such as @OpenSea, @X2Y2, and @rarible.

One of the earliest incidents can be traced back to 7 months ago.
At the same time, we found some unique phishing traits commonly used by North Korean hackers:

1. Recording and saving visitor data to external sites.
2. Use of the HTTP request path "getPriceData.php" for NFT item price list
3. Files of "imgSrc.js" linking images to the project
Next, we analyzed the core code of these attacks

The following was used to induce victims in performing more common phishing Approve operations, such as authorizing NFTs and ERC20s.

They also tried to induce victims in performing Seaport and Permit signatures, among others.
We then used our AML platform @MistTrack_io for further analysis. We'll be focusing on the address (0xC0fd...e0ca)

It was flagged as a high-risk phishing address and had numerous transactions. They received a total of 1,055 NFTs and sold them for almost 300 ETH.
An initial funding of 4.97 $ETH was sent from the address (0x2e0a...DA82).

(0x2e0a...DA82) also interacted with other addresses flagged as risky by #MistTrack, where 5.7 ETH was transferred to @FixedFloat with its initial funding of 1.433 ETH coming from @binance.
For confidentiality and privacy reasons, this article only analyzed a small portion of the NFT phishing materials.

Special thanks to @1nf0s3cpt and @realScamSniffer for their support in our investigation.

For the complete article 👇
slowmist.medium.com/slowmist-our-i…
To stay safe from phishing attacks, we strongly advise increasing your security knowledge and improving your ability to identify such threats.

For additional information, check out the 👉 github.com/slowmist/Block…

And as always, stay vigilant!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SlowMist

SlowMist Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SlowMist_Team

May 21, 2023
Brief Analysis of TornadoCash Governance Exploit

On May 20, 2023, @TornadoCash suffered a governance attack, in which exploiters took control of the governance of TornadoCash by executing a malicious proposal.

Let's see how it happened:

Exploiters first created the proposal… twitter.com/i/web/status/1… Image
On 2023-05-13 at 7:22 (UTC), exploiters initiated the #20 proposal and explained in the proposal that the #20 proposal is a supplement to the #16 proposal and has the same execution logic. Image
But in fact, the proposal contract has an extra self-destruct logic, and its creator, 0x7dC86183274b28E9f1a100a0152DAc975361353d, was created through create2 and has a self-destruct function, so after it self-destructed with the proposal contract, the exploiters could still… twitter.com/i/web/status/1… Image
Read 9 tweets
May 19, 2023
🚨SlowMist Security Alert 🚨

On May 11th, a user reported a phishing attack leading to the loss of their wallet assets, raising security concerns around permit signatures. This thread is dedicated to understanding the nature of this theft and how we can stay secure.🔐👇

Full… twitter.com/i/web/status/1…
The victim reported that they inadvertently clicked on a phishing website (syncswap[.]network) and ended up losing over $100. As insignificant as this may seem, it emphasizes the potential security risks in the blockchain space.🔗

An analysis of the transactions reveals a… twitter.com/i/web/status/1… ImageImage
We found an additional permit operation related to the contract caller address. To understand its implications, we need to first understand what a permit is. In the ERC20 protocol, it allows users to interact with smart contracts using an authorization signature (permit). 📝💼… twitter.com/i/web/status/1…
Read 6 tweets
May 19, 2023
🚨SlowMist Security Alert🚨

Recently, there have been a lot of asset thefts caused by shared #Apple IDs. We believe that the key is "apps are not bound to device codes".
1/ This is an issue prevalent in 99% of #wallets, trading apps,and other apps. It's a concern we've voiced a long time ago. However, due to it not being considered in the initial stages of app design, the majority of apps in the market have yet to rectify this issue.
2/ This lack of binding can lead to data being dragged off or maliciously synchronized to other devices, resulting in potential breaches. Combined with other techniques such as social engineering, brute force attacks to obtain passwords, this can lead to theft of assets.
Read 6 tweets
Mar 21, 2023
How effective is GPT for auditing smart contracts?

We conducted a series of tests to assess the performance of GPT-3.5(Web), GPT-3.5-turbo-0301, and GPT-4(Web) in detecting vulnerabilities within Solidity smart contracts.

🧵👇 for TLDR
slowmist.medium.com/how-effective-…
Test Environment & Methodology:

We utilized simple vulnerability codes and moderately complex vulnerability codes as test cases.

The comparative analysis focused on the three GPT models' ability to identify these vulnerabilities.
Test Results:

For simple vulnerabilities, all three GPT models performed well. However, when it came to more complex vulnerabilities, the models fell short.

GPT-4(Web) showcased exceptional readability but didn't surpass GPT-3.5(Web) or GPT-3.5-turbo-0301 during auditing.
Read 8 tweets
Mar 13, 2023
On March 13th, 2023, @eulerfinance, a lending platform that operates on the Ethereum blockchain, was attacked, resulting in the attacker making off with over $190 million.

🧵👇
The attacker used flashloans to deposit funds and then leveraged them twice to trigger the liquidation logic, donating the funds to the reserve address and conducting a self-liquidation to collect any remaining assets. Image
Two key factors contributed to the success of the attack:

1. Funds were donated to the reserved address without being subjected to a liquidity check. This created a mechanism that could directly trigger soft liquidation.

2. When the soft liquidation logic was triggered by high… twitter.com/i/web/status/1… Image
Read 4 tweets
Feb 10, 2023
🚨SlowMist Security Alert🚨

On February 10th, the DeFi aggregator platform @dForcenet was attacked, and the attacker made a profit of approximately 3.65 million dollars.

Here is a brief report👇
1/ The attacker first borrowed 69665 WETH through a flashloan and swapped it into ETH, then added liquidity to the wstETH/ETH pool on Curve, earning 65343 wstETHCRV. Then deposited some of the wstETHCRV in the Curve wstETHCRV-gauge, receiving wstETHCRV-gauge tokens.
2/ The attacker used wstETHCRV-gauge to deposit in the dForce wstETH/ETH Vault and minted share tokens (dForce wstETHCRV-gauge) and USX tokens.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(