Researchers have unearthed a new phishing campaign involving North Korea-linked hackers targeting NFT users purchasing tokens on platforms such as OpenSea, X2Y2, and Rarible.

Users would first purchase legitimate-looking NFTs on these websites, and these NFTs would then direct the buyer to fraudulent NFT-related websites to complete the minting process.

[{"selector":"#anim-5a48705b-40ad-4bd4-82a0-7f9931e8ea07 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(27.05240510786866%, 0, 0) translate(25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.14,.34,.47,.9)","fill":"forwards"}]

However, as per a report from blockchain security company SlowMist, these websites used the minting process to try to extract valuable data, including IP addresses, authorizations, and their use of plug-in wallets in the process.

[{"selector":"#anim-707f4416-9035-4805-8baf-909ddcb57e7d [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(5.412922949623673%, 0, 0) translate(25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.14,.34,.47,.9)","fill":"forwards"}]

This reportedly involved duping users into carrying out authorizing activities such as sending their Seaport signature, a type of digital signature used to verify NFT contracts made on OpenSea.

[{"selector":"#anim-28694bc6-ce6a-41a2-bcf1-24bdd60a6ea0 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(17.362074286329186%, 0, 0) translate(25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.14,.34,.47,.9)","fill":"forwards"}]

OpenSea, X2Y2, and Rarible did not immediately respond to Decrypt’s request for comment.

[{"selector":"#anim-8b2ac9fd-edc1-4bbd-a9e3-3716202e010b [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(5.993635303053594%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

The researchers uncovered that there were over 500 domains in total running these types of “malicious mints,” and the campaign has reportedly been ongoing for several months, with the first domain appearing to be created over seven months ago.

[{"selector":"#anim-cc784e06-07ba-4698-b7ab-b831e2a3391f [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(36.807784149308226%, 0, 0) translate(25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.14,.34,.47,.9)","fill":"forwards"}]

The vast majority of these domains were said to have used the same IP address.

[{"selector":"#anim-1cbb4641-eb35-4e13-8962-da14a6f872fd [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(46.16652819257309%, 0, 0) translate(25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.14,.34,.47,.9)","fill":"forwards"}]

According to the report, the hackers were able to capture around 1,055 NFTs and made a profit of approximately 300 Ethereum, or $366,000, via their scheme.

[{"selector":"#anim-400df4fc-efc3-4563-96b6-51e4b68cb464 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(10.141133186417212%, 0, 0) translate(25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.14,.34,.47,.9)","fill":"forwards"}]