Share this page!

Maybe Scrolly?
SlowMist Profile picture
Twitter logo
Dec 24 11 tweets 8 min read
🚨SlowMist Security Alert🚨

North Korean APT group targeting NFT users with large-scale phishing campaign

This is just the tip of the iceberg. Our thread only covers a fraction of what we've discovered.

Let's dive in
On September 4, Twitter user PhantomXSec tweeted that the North Korean APT organization had conducted a large-scale phishing campaign targeting dozens of ETH and SOL projects.

The list of specific domain names is as follows:
Following up on @PhantomXSec investigation and here's what we found:

FYI: For confidentiality and security reasons, we're only covering a small portion of the phishing materials. There were multiple attack vectors but our focus will be directed towards NFT phishing.
Also, the same North Korean cyber actors responsible for the massive Naver phishing campaign first documented by @prevailion are also behind this campaign.

One technique involved creating fake NFT-related websites with malicious Mints to steal NFTs. They used nearly 500 different domain names and sold them on platforms such as @OpenSea, @X2Y2, and @rarible.

One of the earliest incidents can be traced back to 7 months ago.
At the same time, we found some unique phishing traits commonly used by North Korean hackers:

1. Recording and saving visitor data to external sites.
2. Use of the HTTP request path "getPriceData.php" for NFT item price list
3. Files of "imgSrc.js" linking images to the project
Next, we analyzed the core code of these attacks

The following was used to induce victims in performing more common phishing Approve operations, such as authorizing NFTs and ERC20s.

They also tried to induce victims in performing Seaport and Permit signatures, among others.
We then used our AML platform @MistTrack_io for further analysis. We'll be focusing on the address (0xC0fd...e0ca)

It was flagged as a high-risk phishing address and had numerous transactions. They received a total of 1,055 NFTs and sold them for almost 300 ETH.
An initial funding of 4.97 $ETH was sent from the address (0x2e0a...DA82).

(0x2e0a...DA82) also interacted with other addresses flagged as risky by #MistTrack, where 5.7 ETH was transferred to @FixedFloat with its initial funding of 1.433 ETH coming from @binance.
For confidentiality and privacy reasons, this article only analyzed a small portion of the NFT phishing materials.

Special thanks to @1nf0s3cpt and @realScamSniffer for their support in our investigation.

For the complete article 👇
slowmist.medium.com/slowmist-our-i…
To stay safe from phishing attacks, we strongly advise increasing your security knowledge and improving your ability to identify such threats.

For additional information, check out the 👉 github.com/slowmist/Block…

And as always, stay vigilant!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SlowMist

SlowMist Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SlowMist_Team

SlowMist Profile picture
Dec 2
🚨SlowMist Security Alert🚨

@ankr deployer’s key was suspected to be leaked, and the hacker minted a total of 60 trillion aBNBc. Part of the funds has been cross-chained from BSC to ETH and Polygon. Currently, 900 BNB were transferred to @TornadoCash. ImageImageImage
1/ Using our AML platform @MistTrack_io, we can see the hacker interacted with following:

@CelerNetwork
@MultichainOrg
@deBridgeFinance
@1inch
@PancakeSwap
@SushiSwap
@paraswap Image
2/ The hacker addresson the BSC first swapped $aBNBc into $USDC and $BNB, and transferred 900 BNB to TornadoCash. Among them, 700,000 USDC bridged to Polygon, and was swapped for 846,272.1 MATIC via Paraswap. Then, 4,684,155.78 USDC bridged to the ETH network, and swapped to ETH.
Read 4 tweets
SlowMist Profile picture
Dec 1
🚨SlowMist Security Alert🚨

1/ According to the reports of many victims, transfers of 0 USDT from unrecognized addresses continued to show in the address transaction history of TRON network users, with the "TransferFrom" function being called in each instance. Image
2/ Clicking on a random transaction to view its details:

This transaction is a call to the function "TransferFrom", which allows the address beginning with TCwd to transfer 0 USDT from the address beginning with TAk5 to an address starting with TMfh. Image
3/ This indicates that the culprit was the address beginning with TCwd. Let’s examine this address:

Evidently, this address is calling "TransferFrom" multiple times every second. Image
Read 6 tweets
SlowMist Profile picture
Nov 23
Following the theft of @boshen1011's personal wallet, we were immediately tasked with the investigation.

We began by conducting an on-chain analysis of the stolen assets and the hackers’ address.

Here's what we found👇
@boshen1011 1/ Reason for theft: Mnemonic words compromise

Wallet used at the time of the theft: Trust Wallet

Amount: 38,233,180 $USDC + 1,607 $ETH + 719,760 $USDT + 4.13 $BTC
@boshen1011 2/ Stolen address:
ETH: 0x6be85603322df6dc66163ef5f82a9c6ffbc5e894
TRX: TJLBmmUb5TcFFXTLzuuaKU96uTg5Sjn1yD
BTC: bc1qg3mnvn8saea50js7nzkhm8k054mpwqmcuq3de5
BTC: 1ECNeZyiHgqJmv42i3pkWY48xiXy7KukTG
Read 7 tweets
SlowMist Profile picture
Nov 12
Quick 🧵on @FTX_Official Hack

Total stolen so far: $417M

Hackers address on:
ETH / BSC / Avalanche: 0x59ab..d32b
Solana: 6sEk..hSHH

Thread Coverage:
1/Assets Stolen
2/ Swapped / Bridged Funds
2/ Assets Frozen
3/ Platforms Used
4/ Notable Transactions
5/Suspected Whitehats Image
Assets Stolen Image
Swapped/Bridged Funds

ETH Network: Swap Alts for $ETH and $DAI via various DEX, and bridge 5,000,000 $MATIC to Polygon Network via Polygon Bridge.

BSC Network: Bridge tokens to ETH network via Stargate, Multichain

Solana: Bridge 7,964 $ETH to ETH network via Wormhole Bridge
Read 8 tweets
SlowMist Profile picture
Nov 11
We used our @MistTrack_io OpenAPI to examine FTX withdrawals in the past couple days.

Starting on the #TRON network, most funds were sent to Binance, FTX US, and OKX via TYD....tW6. Binance also received the greatest number of deposits from FTX, followed by KuCoin and OKX. ImageImage
Switching over to the ETH network, FTX hot wallet 0x2f...6ad2 transferred most of the funds @binance, followed by @krakenfx and @coinbase .

When it comes to the exchange of choice for withdrawals, most choose Binance, then @Bybit_Official and Kraken. ImageImage
Another FTX hot wallet(0xc0...3a94) on the ETH network also sent most of the funds to Binance, followed by @Gemini and @coinhako.

However, based on the number of withdrawals transactions, most users chose to deposit to Binance, then @coinbase and @cryptocom. ImageImage
Read 4 tweets
SlowMist Profile picture
Nov 10
On November 9, 2022, the brahTOPG project on the ETH chain was attacked, leading to the loss of $89,879.

We conducted an investigation into this incident and these were our findings. Image
1. The attacker first queries the balance of the victim user 0x392472, and then calls the zapIn function of the Zapper contract.
2. The function will transfer the token specified by the requiredToken to the contract. Since the parameter passed in by the function can be modified externally, the attacker can create a fake token for the requiredToken and transfer it to Zapper contracts. Image
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(