Researchers have unearthed a new phishing campaign involving North Korea-linked hackers targeting NFT users purchasing tokens on platforms such as OpenSea, X2Y2, and Rarible.

Users would first purchase legitimate-looking NFTs on these websites, and these NFTs would then direct the buyer to fraudulent NFT-related websites to complete the minting process.

However, as per a report from blockchain security company SlowMist, these websites used the minting process to try to extract valuable data, including IP addresses, authorizations, and their use of plug-in wallets in the process. 


This reportedly involved duping users into carrying out authorizing activities such as sending their Seaport signature, a type of digital signature used to verify NFT contracts made on OpenSea.

OpenSea, X2Y2, and Rarible did not immediately respond to Decrypt’s request for comment.

The researchers uncovered that there were over 500 domains in total running these types of “malicious mints,” and the campaign has reportedly been ongoing for several months, with the first domain appearing to be created over seven months ago.

The vast majority of these domains were said to have used the same IP address. 

According to the report, the hackers were able to capture around 1,055 NFTs and made a profit of approximately 300 Ethereum, or $366,000, via their scheme.


SlowMist also alleged that tokens such as Wrapped Ethereum (WETH), USD Coin (USDC), DAI, and Uniswap (UNI) were then used by hackers to facilitate further illicit transfers.

North Korea and crypto hacks

North Korea has become a key player when it comes to crypto-related cybercrime. 

A recent report from South Korea’s primary intelligence agency found North Korea-linked cybercriminals have successfully made off with 1.5 trillion won ($1.2 billion) over the past five years

Sources talking to the Associated Press alleged that in the wake of the U.N. sanctions imposed in 2016 and 2017 in response to the country ramping up its nuclear program, which severely restricted some of its core exports such as coal and seafood, the Hermit Kingdom has pivoted towards cybercrime as a way of extracting revenues. 

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.