DeFiance Capital founder and crypto investor Arthur Ox was the victim of a phishing attack. Bad actors managed to compromise Ox’s hot wallet and took control of over $1.5 million in non-fungible tokens (NFTs).
Related Reading | The Nightly Mint: Daily NFT Recap
The attackers moved the stolen assets to NFT marketplace OpenSea. Part of the popular Azuki collection, the NFTs were priced in thousands of dollars on the platform.
Via his Twitter account, Ox reported on the hack and of new development as he investigated potential points of failures. He said:
Was pretty careful and stuck with only using hardware wallet on PC until I start trading NFT more regularly. Hot wallet on mobile phone is indeed not safe enough.
Ox discovered the attackers compromised as much as two of his private keys, used to access the funds and sign transactions. The DeFiance Capital founder asked for the following Ethereum address to be blacklisted: 0xe47E8cD58c8E95F765e642d7dCB898f622ceFA83. The crypto investor added:
Found out the likely root cause for the exploit, it’s a targeted social engineering attack. Received a spear-phishing email that really seems to be sent by one of our portco with content that seems like general industry-relevant content.
In that sense, Ox believes attackers could attempt to target other crypto founders with a similar approach. As seen below, the bad actors managed to send him a message that appear genuine and coming from “two seemingly legitimate sources”.
The attack vector could have originated from the document sent to Ox, and from two images attached to the email. The DeFiance Capital warned other users, and said “none of the anti-viruses picked up this file as malicious”. Ox added the following to his alert:
Have strong evidence to believe this is the same group of hackers that exploited BZX, Hugh, MGNR and myself. The infamous Lazarus group.
Lazarus Group Targeting Crypto Investors?
According to a pseudonym user, the file shared by Ox matches a strategy used by the Lazarus Group. The bad actors often used a document hinting at a stablecoin pitch as a lure, with a fake Azure Information Protection label from Microsoft.
The latter requires the user to enable content editing which could potentially open the door for the phishing attack or exploit.
Looks like some potential #LazarusGroup? Seems to fit their crypto interests and the same #Azure lure prev-used
Rapid Change of Stablecoin (Protected).docx
secure.azureword[.]com/k6q3afrxddx/yoibgjjd7e/evuethwpcj/cn65qhpls2/@t0001100000 @h2jazi pic.twitter.com/XKpQuzkJBm
— Gage (@Circuitous__) September 10, 2021
Supposedly based in North Korea, the Lazarus Group has been one of the most prolific black hat organizations. Active since 2009, the group uses different strategies to target their victims, steal their information or take over the victim’s computer.
The group has been known for targeting financial institutions, casinos, software developers, and others. Several reports claimed the bad actors have stolen almost $1 billion in cryptocurrencies and digital assets.
Related Reading | Press Start: GameStop Reveals When Its Exclusive NFT Marketplace Will Launch
At the time of writing, the crypto total market cap stands at $1,89 trillion with minor gains on the 4-hour chart.