KISA describes a cryptocurrency-theft phishing operation that used reconnaissance on Naver Cafe and online communities, phishing email delivery, and Python automation to target virtual-asset users. The attackers focused on wallet seed phrases, private keys, wallet balances, and transaction conditions, including checks for Solana, Dogecoin, XRP, Filecoin, Anchor Wallet, and Wombat Wallet through JSON-RPC and HTTP APIs. The report is useful for defenders tracking phishing tradecraft that combines social targeting with scripted wallet enumeration and automated theft preparation.