SlowMist Security team examined Monkey Drainer NFT scam


  • NFT owners are losing millions of dollars in phishing scams.
  • SlowMist’s security team is inspecting monkey drain scammers.
  • Monkey Drainers have used more than 2,000 domains to attack NFT holders.

SlowMist Security team has received complaints regarding NFT security breaches because of NFT frauds. People are losing millions of dollars in these phishing attacks. 

The team disclosed for the first time on December 24, 2022, regarding Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users. This malware event is connected to some other group known as Monkey Drainer, which we have been keeping an eye on. While they have thoroughly examined some of the group’s malware materials and wallet addresses, we have decided to keep definite information in the strictest confidence due to confidentiality and privacy issues.

Following an extensive investigative process, it was noticed that the primary strategy used in this phishing scam was the invention of fake NFT-related online sites via fake celebrity Twitter accounts and Discord groups. These NFTs were then decided to be sold on websites like OpenSea, X2Y2, and Rarible. The Monkey Drainer organisation used nearly 2,000 different domains to target crypto and NFT customers.

Researchers discovered that the earliest registration date for these web addresses can be traced all the way back to four months ago by checking the login information.

At first, the Monkey Drainer organisation spread its phishing campaign via false Twitter advertising.

From 2022 to the present, their squad was able to discover over 2,000 NFT malicious urls and related domains with similar features. They used ZoomEye to perform a thorough worldwide search to find the present state of these scam sites. Their examination revealed a staggering amount of active and functional scam sites.

The Monkey Drainer phishing group employs a clear and vicious technique, relying on phishing and mass deployment. The Monkey Drainer phishing group is presumed to use phishing layouts to digitise brew implementation.