North Korean hackers hijack Telegram, stage fake Zoom calls and deploy RAT malware to drain crypto wallets in a $300m long‑con campaign.
Summary
- Attackers hijack trusted Telegram accounts, then lure crypto executives into fake Zoom or Teams calls using spoofed calendar invites.
- Pre‑recorded video of known industry figures masks RAT‑laden “patch” files that give hackers full system control and wallet access.
- The scheme forms part of North Korea’s wider campaign that has stolen over $2 billion in crypto, including the record Bybit breach.
North Korean cyber criminals have stolen over $300 million through a sophisticated social engineering campaign that impersonates trusted industry figures in fake video meetings, according to a security alert issued by MetaMask security researcher Taylor Monahan.
North Korean hackers go ‘long con’
The scheme, described as a “long con” operation, targets cryptocurrency executives through compromised communication channels, Monahan stated in the alert.
The attack begins when hackers gain control of a trusted Telegram account, typically belonging to a venture capitalist or conference contact known to the victim, according to the researcher. Attackers exploit previous chat history to establish legitimacy before directing victims to video calls on Zoom or Microsoft Teams through disguised calendar links.
During the meeting, victims view what appears to be a live video feed of their contact. The feed is often a recycled recording from a podcast or public appearance, according to the alert.
The attack culminates when the impersonator simulates a technical problem. After citing audio or video issues, the attacker instructs the victim to download a specific script or update a software development kit. The file contains malicious software, the researcher reported.
Once installed, the malware—often a Remote Access Trojan (RAT)—grants attackers complete system control, according to the alert. The RAT drains cryptocurrency wallets and extracts sensitive data, including internal security protocols and Telegram session tokens, which are then used to target additional victims in the network.
Monahan stated that the operation “weaponizes professional courtesy,” exploiting the psychological pressure of business meetings to induce errors in judgment. The researcher advised that any request to download software during a call should be considered an active attack signal.
The fake meeting strategy forms part of a broader campaign by North Korean actors, who have stolen an estimated $2 billion from the cryptocurrency industry over the past year, including the Bybit breach, according to industry reports.
