North Korean Lazarus Group phishing NFT investors


  • Lazarus Group believed to be behind a massive phishing campaign targeting NFT investors.
  • SlowMist released a report on Dec. 24, revealing the tactics used.
  • Methods of the Lazarus Group are fake bait websites to offer “malicious mints.

The Lazarus Group is a mysterious hacking collective that is believed to be behind a massive phishing campaign targeting NFT investors. employing nearly 500 phishing domains to dupe victims.

A blockchain security firm called SlowMist published a report on Dec. 24 disclosing the ploys used by the North Korean Persistent Threat (APT) group to separate NFT investors from NFTs. These fake websites include those masquerading as World Cup-related projects and those posing as well-known NFT marketplaces such as OpenSea, X2Y2, and Rarible.

Source: Baycanimation

SlowMist said one of the moves used was for these bait websites to offer malicious mints. This consists of connecting the victim’s wallet to her website to make them believe they are creating a legitimate NFT.

The report found that many of the phishing websites were regulated on the same Internet Protocol (IP address ), with 372 NFT phishing websites connected on one IP and another 320 NFT phishing websites connected on another IP. 

The Lazarus Group’s modus operandi is simple: they send out spam emails laden with links to phishing pages that look legitimate. Once an investor clicks on the link, they are taken to a fake site that looks exactly like the real deal. The site looks official, has the same branding, and even has the same layout. The only difference is that the site asks for personal information like passwords and investment details.

This is a very sophisticated organization that has successfully robbed unsuspecting investors of their money. Thus, the report from SlowMist says this is just the tip of the iceberg.