Users would first buy NFTs that appeared to be legitimate on these websites, and these NFTs would then drive the buyer to shady NFT-related websites to finish the minting process.
However, according to research by blockchain security firm SlowMist, these websites attempted to harvest vital data from the minting process, including I.P. addresses, authorisations, and their usage of plug-in wallets.
This allegedly includes tricking users into approving actions, including transmitting their Seaport signature, a digital signature required to confirm NFT contracts performed on OpenSea. Decrypt contacted OpenSea, X2Y2, and Raible for comment, but they have yet to answer.
The operation has been going on for some months, with the initial site appearing to have been formed over seven months ago. The researchers found that over 500 domains were operating these “malicious mints” in total.
It was claimed that most of these domains had the same I.P. address.
The report claims that the hackers used their plan to benefit by about 300 Ethereum, or $366,000, and was able to seize nearly 1,055 NFTs.
Additionally, according to SlowMist, hackers utilised tokens, including Wrapped Ethereum (WETH), USD Coin (USDC), DAI, and Uniswap (UNI), to enable additional unauthorised transactions.
Crypto Breaches And North Korea
Regarding cybercrime involving cryptography, North Korea has emerged as a major participant.
According to a new assessment from South Korea’s leading intelligence service, hackers with ties to North Korea have successfully stolen 1.5 trillion won ($1.2 billion) during the previous five years.
According to sources from the Associated Press, the Hermit Kingdom has turned to cybercrime to generate income in the wake of the U.N. sanctions imposed in 2016 and 2017 in response to the country stepping up its nuclear program. These sanctions severely restricted some of its core exports, including coal and seafood.
To mislead consumers, the hackers constructed fake websites that impersonated other NFT platforms, including Rarible, X2Y2, and OpenSea. World Cup-related initiatives are the focus of the most recent phishing site that the hackers have created and maintained.
Approximately 500 domain names were exploited by the North Korean APT to phish consumers. These domain names have been registered for seven months at the most recent time.
The principal domain name used by APT to monitor user requests is “the doodles. site,” which was first used exclusively to record user data.
The HTTPS certificate was registered for this domain name seven months earlier, indicating that the hacking organisation had already begun focusing on NFT users.
SlowMist detected txt files containing statistics on victims and a large number of attack scripts used by North Korean hackers at some host addresses. These files included details on the victim’s access history, plug-in wallet usage, and authorisations.