{
	"id": "ccd73e14-4236-4b66-978d-2bf7e1bd189a",
	"created_at": "2026-04-06T03:37:10.967841Z",
	"updated_at": "2026-04-10T13:12:29.7466Z",
	"deleted_at": null,
	"sha1_hash": "1fa4596163667003c52026c4b6f2a80c7d22f563",
	"title": "SlowMist: Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5826674,
	"plain_text": "SlowMist: Investigation of North Korean APT’s Large-Scale\r\nPhishing Attack on NFT Users\r\nBy SlowMist\r\nPublished: 2022-12-24 · Archived: 2026-04-06 03:11:11 UTC\r\n7 min read\r\nDec 24, 2022\r\nPress enter or click to view image in full size\r\nBackground\r\nOn September 2, the SlowMist security team discovered that suspected APT groups were conducting large-scale\r\nphishing activities targeting NFT users in the encryption ecosystem, and released the “How Scammers Are Paying\r\nNothing for Your NFTs”.\r\nOn September 4, Twitter user PhantomXSec tweeted that the North Korean APT group were responsible for\r\ncrypto and NFT phishing campaigns targeting dozens of ETH and SOL projects.\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 1 of 20\n\nhttps://twitter.com/PhantomXSec/status/1566219671057371136\r\nPhantomXsec provided information on 196 phishing domain names that were linked to North Korean hackers\r\nafter a thorough analysis. The list of specific domain names is as follows:\r\nhttps://pastebin.com/UV9pJN2M\r\nThe SlowMist security team noticed the incident and immediately followed up with an in-depth analysis.\r\nBy the way, the same North Korean cyber actors responsible for the massive Naver phishing campaign first\r\ndocumented by @prevailion are also behind this campaign.\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 2 of 20\n\nFor confidentiality and privacy reasons, this article only analyzed a small portion of the NFT phishing materials\r\nand extracted some phishing characteristics of the North Korean hackers. However, this is just the tip of the\r\niceberg.\r\nPress enter or click to view image in full size\r\nAnalysis of Phishing Websites\r\nUpon further investigation, we found that one of the techniques used in this phishing attack involved creating fake\r\nNFT-related decoy websites with malicious Mints. These NFTs were sold on platforms such as OpenSea, X2Y2,\r\nand Rarible. The North Korean APT group targeted Crypto and NFT users with a phishing campaign using nearly\r\n500 different domain names.\r\nBy checking the registration information of these domain names, we found that the earliest registration date was\r\ntraced back to 7 months ago.\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 3 of 20\n\nAt the same time, we also found some unique phishing traits commonly used by North Korean hackers:\r\nTrait 1: Phishing websites will record visitor data and save it to external sites. The hacker records visitors’\r\ninformation to an external domain through an HTTP GET request. Although the domain names sending the\r\nrequest are different, the API interface of the request is “/postAddr.php”. The general format is\r\n“https://nserva.live/postAddr.php?mmAddr=...[Metamask]...\u0026accessTime=xxx\u0026url=evil.site\", where the\r\nparameter mmAddr records the visitor’s wallet address, and accessTime records the visitor’s visit Time, url\r\nrecords the phishing website link currently visited by the visitor.\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 4 of 20\n\nTrait 2: The phishing website will request an NFT item price list , usually the HTTP request path is\r\n“getPriceData.php”:\r\nPress enter or click to view image in full size\r\nTrait 3: There is a file “imgSrc.js” linking images to the target project , which contains a list of target sites and the\r\nhosting location of the image files used on their corresponding phishing sites. This file may be part of the phishing\r\nsite template.\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 5 of 20\n\nFurther analysis found that the main domain name used by APT to monitor user requests is “thedoodles.site”,\r\nwhich was mainly used to record user data in the early days of APT activities:\r\nPress enter or click to view image in full size\r\nThe HTTPS certificate for this domain name was queried 7 months ago, indicating that the hacker organization\r\nhad already begun targeting NFT users at that time.\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 6 of 20\n\nPress enter or click to view image in full size\r\nLastly, let’s see some of the phishing sites the hackers have deployed and operated:\r\nThe latest site pretended to be a project associated with the World Cup:\r\nPress enter or click to view image in full size\r\nWe continued to search for relevant website host information based on the relevant HTTPS certificate:\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 7 of 20\n\nWe found various attack scripts used by hackers and txt files with statistical information on victims in some host\r\naddresses.\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 8 of 20\n\nThese files recorded the victim’s access records, authorizations, and uses of plug-in wallets:\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 9 of 20\n\nIt was found that this information matched the visitor data collected by the phishing sites.\r\nIt also includes the victim’s approve record:\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 10 of 20\n\nAnd sigData, among other sensitive data was also discovered, which will not be shown here for privacy reasons.\r\nGet SlowMist’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nOur analysis also revealed that there are NFT phishing site groups under the same IP of the host, with 372 NFT\r\nphishing sites under a single IP:\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 11 of 20\n\nAs well as another 320 NFT phishing sites associated under a different IP address:\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 12 of 20\n\nWe even discovered a DeFi platform run by North Korean hackers.\r\nPress enter or click to view image in full size\r\nDue to the sheer volume of information, we are unable to delve into every detail in this report.\r\nAnalysis of Phishing Methods\r\nIn combination with our previous article “How Scammers Are Paying Nothing for Your NFTs,” we analyzed the\r\ncore code of this phishing incident. Our investigation revealed that the hackers utilized multiple tokens, such as\r\nWETH, USDC, DAI, and UNI, etc. in their phishing attacks.\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 13 of 20\n\nThe following code is used to induce victims to perform more common phishing ‘Approve’ operations, such as\r\nauthorizing NFTs and ERC20 tokens:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nIn addition, the hackers also try to induce victims to perform Seaport and Permit signatures, as well as other\r\nauthorizing activities.\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 14 of 20\n\nPress enter or click to view image in full size\r\nHere’s a typical example of this type of signature, even though the domain name of the phishing website is not\r\nactually ‘opensea.io’.\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 15 of 20\n\nhttps://twitter.com/evilcos/status/1603969894965317632\r\nWe also discovered that the remaining signature data matched the signature data of “Seaport” which the hacker\r\nleft on the host computer.\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 16 of 20\n\nSince this type of signature request data can be “stored offline”, the hacker can transfer assets on-chain in batches\r\nafter obtaining a large amount of signature data from victims.\r\nMistTrack analysis\r\nAfter analyzing the phishing websites and methods, we chose one of the phishing addresses (0xC0fd…e0ca) for\r\nfurther analysis.\r\nWe observed that this address has been flagged as a high-risk phishing address by the MistTrack platform and has\r\na significant number of transactions. The hacker was able to receive a total of 1,055 NFTs and made off with a\r\nprofit of approximately 300 ETH through their sales.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 17 of 20\n\nTracing the source of the funds for this address, we found that an initial 4.97 ETH was transferred from the\r\naddress (0x2e0a…DA82). Further investigation revealed that this address interacted with other addresses flagged\r\nas risky by MistTrack. It was also shown that 5.7 ETH was transferred to FixedFloat.\r\nPress enter or click to view image in full size\r\nLet’s examine the initial source of funds for the address (0x2e0a…DA82), which currently has around 6.5 ETH.\r\nThe initial funds were sourced from a 1.433 ETH transfer from Binance.\r\nPress enter or click to view image in full size\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 18 of 20\n\nAt the same time, this address also interacted with multiple risky addresses.\r\nPress enter or click to view image in full size\r\nSummary\r\nSlowMist advises users to strengthen their understanding of security knowledge and further enhance their ability\r\nto identify phishing attacks in order to avoid falling victim to such attacks. For additional security information, we\r\nrecommend reading the “Blockchain Dark Forest Self-Help Handbook”.\r\nDuring our tracking, we found that North Korean hackers and Eastern Europe seem to be cooperating to phishing\r\nNFT users. What do you think?\r\nThanks to hip and ScamSniffer for their support.\r\nRefer\r\n[1] https://www.prevailion.com/what-wicked-webs-we-unweave\r\n[2] https://twitter.com/PhantomXSec/status/1566219671057371136\r\n[3] https://twitter.com/IM_23pds/status/1566258373284093952\r\n[4] https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README.md\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 19 of 20\n\nC2 IOC:\r\nhttps://tothesky[.]in\r\nhttps://commonj[.]xyz\r\nhttps://thedoodles[.]site\r\nAbout SlowMist\r\nSlowMist is a blockchain security firm dedicated to securing Web3’s future. Since our inception in 2018, we have\r\nprovided services such as security audits, security consultants, red teaming, and more. Our team has audited\r\nthousands of crypto and DeFi projects, including major exchanges, wallets, individual smart contracts, DApps,\r\nand blockchains.\r\nWebsite: https://www.slowmist.com/\r\nTwitter: https://twitter.com/SlowMist_Team\r\nSource: https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-3621\r\n17600519\r\nhttps://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519"
	],
	"report_names": [
		"slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775446630,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1fa4596163667003c52026c4b6f2a80c7d22f563.pdf",
		"text": "https://archive.orkl.eu/1fa4596163667003c52026c4b6f2a80c7d22f563.txt",
		"img": "https://archive.orkl.eu/1fa4596163667003c52026c4b6f2a80c7d22f563.jpg"
	}
}