In recent days, at least three founders of companies in the cryptocurrency sector have reported fraud attempts linked to suspected North Korean hackers. The cybercriminals allegedly tried to steal sensitive data through counterfeit Zoom calls, using a sophisticated technique that exploits the psychology of the victims.
Summary
The new method of North Korean hackers: fake Zoom calls with technical issues
Nick Bax, member of the ethical hacker group Security Alliance, reported the new attack method with a post on X (formerly Twitter) on March 11. According to Bax, this strategy has already led to the theft of millions of dollars by the fraudsters.
The modus operandi involves contacting the victim with a proposal for a meeting or collaboration. Once the video call is initiated, the perpetrators send a message indicating audio issues, while a pre-recorded video of a pseudo-investor with a bored expression appears on the screen. At that point, a link to a new call is sent to the victim, explaining that it is necessary to resolve the technical issue.
However, the new link is actually a malware disguised, which asks the user to install a patch to restore the correct audio/video functionality. Bax highlights how this technique exploits the haste and psychological pressure of the moment:
“You think you are meeting important investors and you try to solve the problem quickly, letting your guard down. But once the patch is installed, you’re screwed.”
Founders of crypto companies targeted by North Korean hackers
After Bax’s revelation, several founders of companies in the blockchain sector shared similar experiences. Giulio Xiloyannis, co-founder of the blockchain-based gaming platform Mon Protocol, reported that he almost fell for the scam. According to reports, the hackers attempted to deceive him and the marketing manager with a partnership proposal. However, Xiloyannis sensed the deception when he was redirected at the last moment to a suspicious link, which claimed it couldn’t read the audio to prompt him to download a dangerous file.
Another case involves David Zhang, co-founder of Stably, a startup dealing with stablecoins backed by US venture capital. He too was contacted by the scammers, who initially used his personal Google Meet link. However, shortly after, under the pretext of an internal meeting, they asked him to connect to another fake video call.
Zhang, who answered the call from his tablet, believed that the hackers’ malware was primarily designed for desktop operating systems, as he did not notice any obvious anomalies on his mobile device.
Another victim of the attempted attack is Melbin Thomas, founder of the decentralized artificial intelligence platform Devdock AI, specialized in Web3 projects. After mistakenly starting the installation of the infected file, Thomas managed to block the process in time by avoiding entering the password. As a precaution, he disconnected the laptop and restored the device to factory settings, but there remains the doubt whether the files transferred to an external hard drive were compromised.
The alarm from the United States, Japan, and South Korea on North Korean cyber-attacks
These episodes are part of a broader context of growing cyber threat from North Korean hacker groups. On January 14, the United States, Japan, and South Korea released a joint statement to warn of the danger posed by cybercriminals linked to North Korea, with particular attention to the cryptocurrency sector.
Among the most well-known hacker groups is Lazarus Group, accused of being involved in some of the largest thefts in blockchain history. The group is suspected of orchestrating attacks such as the one against Bybit, which led to the theft of 1.4 billion dollars, and the one on the Ronin network, which saw a theft of 600 million dollars.
After the numerous attacks, the Lazarus hackers moved the stolen funds through mixing platforms, tools used to obfuscate the origin of cryptocurrencies. According to CertiK, a company specializing in blockchain security, the group recently deposited 400 Ethereum (ETH), worth about 750,000 dollars, into the mixing service Tornado Cash.
Conclusions: a growing risk for the crypto world
The episodes reported by the founders of companies in the blockchain sector confirm that hackers are increasingly refining their techniques, exploiting the trust and haste of the victims. The growing frequency of these attacks prompts security experts to reiterate the importance of adopting preventive measures, such as verifying every link before clicking it and avoiding installing files from unknown sources.
With the intensification of activities by groups like Lazarus, the world of cryptocurrencies must face an ever-increasing risk related to cyber-attacks. Collaboration between companies, security experts, and governments will be fundamental to counter these threats and protect digital capital from increasingly sophisticated thefts.
