North Korean cybercriminals have executed a sophisticated "long-con" social engineering campaign, netting over $300 million by impersonating trusted industry figures in fake video meetings, according to security researcher Taylor Monahan (Tayvano) of MetaMask.
Key Attack Components
The strategy deviates from recent AI deepfake attacks, instead relying on a more low-tech, psychological approach:
- Hijacked Accounts: The attack begins when hackers seize control of a trusted Telegram account, often belonging to a venture capitalist or someone the victim previously met.
- The Fake Meeting: They exploit prior chat history to schedule a video call (Zoom or Teams) via a disguised Calendly link.
- Looped Video: The "live" video feed of the contact is actually looped footage or a recycled recording from a public appearance.
- The Technical Ruse: The attackers cite manufactured audio or video issues and leverage the pressure of a business meeting to trigger the decisive step.
The Malicious Payload
- Fatal Download: The victim is urged to download a specific script or software development kit (SDK) to "fix" the connection. This file contains the malicious payload.
- Total Control: Once installed, the malware (often a Remote Access Trojan, or RAT) grants the attacker total control, allowing them to drain cryptocurrency wallets and steal sensitive data, including internal security protocols and Telegram session tokens for future attacks.
Security Warning
Monahan warns that this tactic weaponizes professional courtesy, forcing victims into a security lapse under the pressure of a business setting. Any request to download software during a professional call is now considered an active attack signal.
This "fake meeting" strategy is part of a larger offensive by DPRK actors, who have stolen an estimated $2 billion from the crypto sector in the past year.
December 2025, Cryptoniteuae