In a stunning strategic shift within their criminal campaigns, North Korean cybercriminals executed sophisticated thefts exceeding 300 million US dollars. They relied on impersonating trusted figures in the cryptocurrency sector through fake video meetings via applications like Zoom and Microsoft Teams, leading victims to fall into a carefully crafted social engineering trap.
Security researcher Taylor Monahan, known as "Typhano" and working for MetaMask, a leading cryptocurrency wallet company, revealed this elaborate scam plan based on "long-term deception." According to Monahan, this campaign primarily targets corporate executives and investors in the crypto world, exploiting their trust in professional relationships.
How does the deception work? Step-by-step attack process
This attack differs from modern methods relying on artificial intelligence or "deepfake" technologies. Instead, it relies on simpler yet very effective techniques, such as hacking Telegram accounts and using previously recorded video footage. Here’s how the deception is executed:
Hacking trusted accounts: The attack usually starts with hackers taking over a Telegram account belonging to a trusted person, such as an investor or a colleague who met the victim at a previous conference. They exploit previous chat histories to appear as the real person.
Redirecting to a fake meeting: The attackers convince the victim to make a video call via Zoom or Teams, through a hidden link resembling meeting scheduling links like Calendly.
Pretending to be live: At the start of the meeting, the victim sees what appears to be a live video stream of the known person. However, it is actually a replay of an interview or real podcast, played repeatedly to look natural.
The critical moment: The technical problem: After a few minutes, the attacker pretends there is a technical issue with the audio or video. They then ask the victim to "fix" the problem by downloading a script or updating the software development kit (SDK).
Malicious installation: The downloaded file contains malware, often a Remote Access Trojan (RAT). Once installed, the attacker gains full control over the victim's device, allowing them to drain cryptocurrency wallets and steal sensitive data such as internal security protocols and Telegram session tokens.
Expanding the network: Stolen data is used to target other victims within the professional network, causing the attack to proliferate rapidly.
Why does this deception work?
Monahan warns that this method exploits "professional courtesy" as a powerful weapon. In the context of a business meeting, the victim feels psychological pressure to maintain professionalism, leading them to make quick decisions without verification. What seems like a routine request to fix a technical issue turns into a security disaster.
The broader context: North Korea's attack on the crypto world
The "fake meetings" strategy is part of a larger campaign launched by entities affiliated with the Democratic People's Republic of Korea (DPRK). According to security reports, these hackers stole around 2 billion dollars from the cryptocurrency sector last year alone, including the breach of the popular Bybit platform. These operations fund nuclear and missile programs for the North Korean regime, making them a global threat.
Tips for protection in the crypto world
Always verify: Do not trust any request to download software during a video call, even if it comes from someone you know.
Use advanced security tools: Rely on wallets like MetaMask with additional security features and enable two-factor authentication (2FA).
Be cautious of links: Verify the source of any meeting link before clicking on it.
Team awareness: In companies, conduct regular training on detecting social engineering attacks.
In the rapidly evolving crypto world, vigilance must be a priority. These attacks remind us that trust can be our greatest vulnerability. If you are an investor or manager in this sector, take this warning seriously to avoid falling into the trap.
🛑 In the crypto world, you must be cautious about everything 🛑
