Security specialist company ESTsecurity (CEO Jung Jin-il) announced on the 22nd that a hacking attack linked to North Korea, disguised as a notice of compensation for victims of SUMMITZ coin damage with Non-Fungible Tokens (NFT), has been discovered in South Korea, requiring special attention.

The SUMMITZ coin scam is a case that took place around 2018, where the issuance of coins was disguised as being invested by the technical power of domestic conglomerates, luring various investors and engaging in fraudulent activities. At that time, even the families of conglomerate heads seemed to have participated in the investment, but in reality, it turned out to be completely unrelated to any actual investment of corporate technology or agreements, leading directly to the loss of the investors.

At that time, the co-representative of SUMMITZ was known to be imprisoned after being sentenced to a real term for violating laws related to the aggravation of specific economic crimes.

Meanwhile, the newly discovered attack targets individuals who participated in past SUMMITZ-related investments, those curious about NFT compensation, or bitcoin holders. The attacker disguised the attack with the title of the email as '[Notification] SUMMITZ coin victim NFT token compensation notice', seemingly from the SUMMITZ customer management department announcing NFT compensation for 2,506 victims on behalf of the headquarters.

According to the email, while the attachment 'NFT Compensation Plan.pdf' contains the list of compensations, and it guides the recipient to determine their eligibility and respond, the ESTsecurity Security Response Center (ESRC) has confirmed that it links to a malicious phishing site.

If the recipient clicks on the attachment, a password input site disguised as a portal’s identity verification service (private-banking-group[.]com) appears, and entering information there can unknowingly lead to leakage of personal information.

Furthermore, the URL of the internet site and the actual internal web pages contain content related to NFTs or bitcoin, which at a glance might seem legitimate, but as they are currently being used for hacking purposes, restricting access and blocking them is necessary.

ESRC has detected the use of domains 'sslnaver[.]online', 'cdndaum[.]online' by attackers in the investigation process of this incident and has identified usage history of the address 'lion.simba21@protonmail[.]com' among the domain registrant information.

In addition, the attackers have been confirmed to use the 'private-banking-group[.]com' address in a similar manner for portal customer service impersonation attacks targeting individuals working in North Korea as well as using numerous phishing domains including 'navers[.]online', 'navers[.]store', 'naveos[.]online', 'naveos[.]website', 'com-silver[.]site', 'com-pass[.]online', 'com-password[.]link', 'com-info[.]store', 'com-checking[.]link', 'confirm-pw[.]link', 'com-share[.]bar', 'nonghyup[.]website', 'com-gstatic[.]link', 'jiia[.]tokyo', etc., with some addresses having the email 'fullget888@gmail[.]com' being used for registration. These addresses have been spotted in cyber threat cases pointed to North Korea.

Director Moon Jong-hyun of the ESRC center stated, "The recent attack is analyzed as part of the so-called KGH campaign linked to North Korea, including the domestic terrestrial broadcasting station attack in February, the Japan international studies institute impersonation in February, and the health checkup certificate issuance disguise attack in March. Recent attacks have been escalating against North Korean human rights experts and professors in diplomacy, security, and national defense fields due to the current political issues of South and North Korea, such as the repatriation of defected North Korean fishermen" and urged the practice of cyber security at the national security level.

Meanwhile, ESTsecurity's ESRC is closely sharing cyber threat information related to this with relevant authorities such as the Korea Internet & Security Agency (KISA) to prevent the known threat from spreading.