North Korean cybercriminals are undergoing a major strategic shift in social engineering attacks. By impersonating trusted industry names, they have seized over 300 million dollars worth of cryptocurrency through fake video meetings.

This alert reveals a sophisticated 'long-term fraud' targeting crypto managers, as detailed by MetaMask security researcher Taylor Monahan (known as Tayvano in the crypto community).

How North Korea's Fake Meetings Empty Cryptocurrency Wallets?

According to Monahan, unlike recent attacks based on AI deepfakes, this campaign follows a different path.

Instead, a simpler but effective tactic is used with compromised Telegram accounts and recurring video footage taken from real interviews.

Attacks often begin when a Telegram account belonging to a familiar name, such as a venture capitalist or someone the victim met at a previous conference, falls into the hands of hackers.

Later, the attackers convincingly present themselves using previous correspondence and direct the victim to a deceptive Calendly link for a video meeting via Zoom or Microsoft Teams.

When the meeting starts, the other party thinks they are watching a live video of someone they know. However, what they see on the screen is usually a recording taken from a podcast or a public talk.

The final move usually comes after a fake technical malfunction.

The attacker asks the victim to download and run a specific script by claiming there is a problem with the audio or video, or to update a software development kit (SDK). At this point, the downloaded file contains malware.

After establishing the connection, Remote Access Trojan (RAT) type malware often provides attackers complete control.

Cryptocurrency assets in accounts are withdrawn, and sensitive information such as internal security protocols and Telegram session tokens reaches attackers. This way, new targets on the chain are easily identified.

Looking at this table, Monahan warns: This form of fraud turns professional etiquette into a weapon.

Hackers use the pressure created by the psychology of a 'business meeting' to lower the victim's guard and turn a simple technical support request into a major security vulnerability.

Now, for those in the industry, being asked to download software during a video meeting is considered a direct signal of an active attack.

Meanwhile, the 'fake meeting' method is part of a broader attack by Democratic People's Republic of Korea (DPRK) actors. It is estimated that they have stolen approximately $2 billion from the industry over the past year, including the Bybit attack.