🚨 North Korean APT group responsible for crypto and NFT phishing campaign spanning over 190 domains. Targeting dozens of $ETH and $SOL projects. Uses collections on NFT marketplaces to lure victims to malicious minting sites. 🧵1/. #Phishing #NFT #NorthKorea #cybercrime.

All domains in this cluster point to wallet: 0x00000006dED0c4D8C7A82Ba04b5995A0b54E0A3E. Full list of domains:. 4/4.

The second notification technique is newly discovered. Examples are from kanpaipandas[.]art. Visitor actions on the domains are sent to a Telegram Bot in Russian. There is a handy list of the actions/notifications in /javascript/import_main.js. 3/

Two notification mechanisms noted in use on these domains. A GET request for non-existent 'pic.jpg' from count.with-winting[.]app . Note the re-use of count.with-winting[.]app is one of the data points used to correlate these domains with the larger campaign. 2/

🚨Small cluster of 8 NFT drainer sites found on @Hetzner_Online 162.55.38[.]225, connected to larger campaign. New Telegram notification TTPs discovered. 🧵1/. #Phishing #cybercrime #NFTs

RT @IM_23pds: ⚠️ There are 728 phishing scam sites on this IP.Scam site: .Metascannft[.]xyz.@evilcos @PhantomXSec @SlowMist_Team @1c4m3by….

Full list of Domains on 23.225.152[.]131:. 4/.

Associated Wallets:.0x0AA7F992Dfb485Cf9c4FbE9688F1ECdf9e0A15f9.0xB2dA7748F16dBddEf7C1963000C35B49297a7d06. 3/.

Majority of phishing sites are still subdomains vs being standalone. Including:.*.free-mintnow[.]com.*.nft-premint[.]xyz.*.mints-livenow[.]com.*.limitedwl[.xyz.*.vip-mint[.]com.*.limitedwl[.]xyz. 2/

Another 280 NFT drainer sites located on CloudRadium LLC IP 23.225.152[.]131 are associated with this campaign. Still uses semi-unique TTP of subdomains versus standalone sites. Discovered from code remnants on a domain on 199.33.112[.]228 . 🧵1/. #Phishing #NFT #Cybercrime.

Full list of Domains on 199.33.112[.]228:. Full list of Domains on 23.225.152[.]131:. 6/.

Associated Wallets:.0xd2089ff4E050A29e85fb5a447F83628E2a697555.0x5B68C0B4A259179aE792B91dF30f82521322e795.0x2AcFD0152bDBdD5AED36984D4897E08449A189D7. 5/.

Code references left on get-freemint[.]xyz leads to yogapetz.free-mintnow[.]com/claim.html. Domain is hosted on CloudRadium IP 23.225.152[.]131. There are roughly 280 cryptocurrency phishing domains associated with that IP address. 4/

This cluster is being tied back to the main campaign based on Discord Webhook usage. Same Discord Webhook on:.cyberbrokeers[.]xyz.mypetshooligan[.]xyz. Also used by:.swaggywhales.market-minting[.]com.rtf-clonexmint[.]xyz.sneaker-headsnft[.]xyz.thesnooopavatars[.]xyz. 3/

While the majority of sites still use 'free mints' for specific NFT projects to lure victims, for example:.treeverse[.]club.moonbiridz[.]xyz.sappyseals[.]club. ethereumupgrades[.]org is using the $ETH merge. How topical😒. 2/

🚨Fifteen phishing domains tied to this massive campaign registered and hosted by @namesilo on 199.33.112[.]228. Slight diversification in lures away from free minting to include the $ETH merge. Full list at the end of the 🧵. 1/. #Phishing #NFT #cybercrime.

Fake @opensea phishing domain 0pensea[.]biz registered and hosted by @namesilo on 199.33.112[.]228. Harvests wallet private keys, keystore and recovery phrases. Collected data is sent to kuchbhi[.]info/post.info. #Phishing #NFT #cybercrime

🚨Phishing domain getdoodles[.]top just went live on 45.12.2[.]67. Semi-unique lure offering cheap floor @doodles. Actor Wallet:.0xc68C8567991e2B5718ff999A70326EF483403bEe. #Phishing #NFT

Please report this scam account. Also, don't trust the obvious typo squatting site premint-mint[.]xyz. Wallet:.0xaC21Cb915E8A3fd8f465ed980C29B3c730dee67c. #Phishing #NFT.

For a full list, checkout:. 8/.

One upside (for CTI analysts) of using custom Name Servers is the admin contact included in the Start of Authority (SOA) DNS record. In this case, jaspersdfsd1258@gmail.com is the admin contact for all of the Name Servers and probably registered the domains. 7/