North Korean Hackers Steal $300M in Social Engineering Crypto Scam
Key Takeaways:
- North Korean hackers are conducting a sophisticated social engineering hacking scheme targeting crypto users, developers, and protocol team members via Teams and Zoom links sent on Telegram.
- They take control of Telegram accounts belonging to real users and message their contacts by impersonating that person or a crypto executive. The victims are then invited to a video call, where they are asked to download and install a Trojan that gives the attacker complete access to sensitive information on their devices.
- The hacker uses recycled video footage and stage technical glitches to trick the victims and steal passwords, drain crypto wallets, and hijack Telegram accounts to target their network. A different strategy from the AI deepfakes that used to be a common theme in such cases.
- Blockchain security experts have warned Telegram users to reject any request to download suspicious software during video calls, and urged those who or installed those links to immediately move their crypto out to another device and wipe the infected device.
Cybersecurity firm Security Alliance (SEAL) has warned that North Korean hackers are impersonating trusted crypto industry contacts in fake Zoom and Teams meetings and convincing victims to install malware to steal sensitive data, including passwords and private keys to crypto wallets.
SEAL has tracked multiple daily attempts from the group, with more than $300 million in assets already stolen from crypto users, developers, and protocol teams, who are primary targets.
North Korean Hackers Fake Zoom/Teams Meeting to Drain Crypto Users’ Wallets
The warning resurfaced after MetaMask security researcher Taylor Monahan outlined a sophisticated “long-con” targeting crypto executives. He wrote in an X post that threat actors from the Democratic People’s Republic of Korea (DPRK) are still “wreaking” way too much havoc via fake Zoom and Teams meetings. Monahan noted that their new campaign is drastically different from the recent attacks that relied heavily on AI deepfakes. Instead, they are now using a more straightforward approach built around hijacked Telegram accounts and looped footage from real interviews.
The scam typically begins with victims receiving messages from a Telegram account that appears to belong to someone they already know, such as a crypto executive, or have previously had conversations with. The attacker messages every person whose account had a prior conversation history and, after some casual conversation, guides their victims to a Zoom or Microsoft Teams video call via a disguised Calendly link.
The link looks legitimate, but is often masked or subtly altered. Once the meeting starts, the victim will see what appears to be a live video feed of their contact. Monahan explained that these videos are not AI deepfakes, but recycled recordings taken from a podcast or public appearance, making the setup look very convincing.
Once the meeting is underway, the hacker will cite an issue with the audio or video feed and urge the victim to restore the connection by downloading and installing a software development kit (SDK) that is sent via chat. This file would contain the malware payload, which is often a Remote Access Trojan (RAT), that once installed would grant the hackers complete access to the victim’s device. The RAT can drain cryptocurrency wallets and exfiltrate sensitive data, such as internal security protocols and passwords, turning a routine troubleshooting request into a fatal security breach.
Shortly after, the attackers abruptly end the call, claiming they need to reschedule, all the while trying to avoid raising any suspicion. However, by the time the victim realizes that something is wrong, their computer may have already been fully compromised. The malware allows hackers to steal private keys to crypto wallets, passwords, company data, and gain access to messaging apps like Telegram. The hackers then use the victim’s Telegram account to impersonate them and target their friends, colleagues, or business partners.
Telegram Users Warned to Wipe Devices, Change Passwords, Move Crypto After Suspicious Links
Mohanan has advised Telegram users who have accessed a suspicious Zoom or Teams-related link to immediately disconnect the affected device from WiFi and power it down. He urged the victims to use a separate device and move their crypto to a new wallet, change all passwords, enable two-factor authentication, and secure their Telegram account by terminating all active conversations and updating security settings. The MetaMask security chief recommended a full memory wipe of the infected device before using it again.
Hackers linked to North Korea have been conducting sophisticated social engineering hacks over the past year, infiltrating crypto companies through elaborate job applications and faking interview processes. Last month, the Lazarus Group, a hacking syndicate linked to the North Korean military, was accused of draining roughly $30.6 million from South Korea’s largest cryptocurrency exchange, Upbit. This group has reportedly stolen an estimated $2 billion from various crypto platforms over the past year, most notably, $1.5 billion from Bybit in an operation considered to be the largest hacking incident in history.
Also Read: Binance Rejects Claims of Delayed Response in Upbit Hack Case
Crypto & Blockchain Expert