North Korean crypto criminals have adjusted their tactics in social engineering campaigns. They have stolen more than $300 million by posing as trustworthy people in the industry during fake video meetings.
The warning, shared by MetaMask security researcher Taylor Monahan (known as Tayvano), describes a clever 'long con' aimed at crypto executives.
How North Korean fake meetings drain crypto wallets
According to Monahan, this attack differs from recent attacks that utilized AI deepfakes.
Instead, a simpler method is now used with hacked Telegram accounts and repeated footage from real interviews.
The attack usually begins as soon as hackers take control of a trusted Telegram account, often belonging to an investor or someone who met the victim at a conference.
Then the attackers use the previous chat history to come across as genuine and send the victim to a Zoom or Microsoft Teams call via a fake Calendly link.
During the meeting, the victim sees what appears to be a live video feed of their contact. In reality, this is often an old recording of, for example, a podcast or a public speech.
The decisive moment usually comes after a so-called technical problem.
After issues with sound or video, the attacker says that the victim can restore the connection by downloading a specific script or updating a software development kit (SDK). That file then contains the malicious software.
Once the virus is installed, the hacker gains full control via the Remote Access Trojan (RAT).
As a result, crypto wallets are drained and sensitive data such as internal security protocols and Telegram session tokens are stolen. This data is used to target the next victim in the network.
With this in mind, Monahan warned that this attack method exploits professional courtesy.
The hackers rely on the psychological pressure of a 'business meeting' to make people make mistakes, turning a normal request for troubleshooting into a serious security breach.
For people in the industry, any request to download software during a video meeting is now a clear alarm signal for an attack.
This 'fake meeting' tactic is part of a broader wave of attacks by Democratic People’s Republic of Korea (DPRK) groups. They have stolen an estimated $2 billion from the sector over the past year, including the Bybit hack.
