SlowMist investigated a large phishing campaign attributed to North Korean APT activity against cryptocurrency and NFT users. The campaign used hundreds of phishing domains, including 196 domains initially shared by PhantomXSec, to impersonate dozens of ETH and SOL projects and lure users into NFT-theft schemes. SlowMist linked the activity to broader wallet-draining infrastructure and described how attackers used fake project pages, malicious mint or claim flows, and domain clusters to steal assets from users in the crypto ecosystem. The report is useful for tracking DPRK-linked phishing infrastructure targeting NFT communities and Web3 users.