North Korean cyber criminals have implemented a sophisticated change of strategy in their social engineering campaigns, managing to steal over $300 million by impersonating trusted industry figures in fake video encounters.
This alert, detailed by MetaMask security researcher Taylor Monahan (known as Tayvano), outlines a complex 'long con' (long-con) scam targeting crypto executives.
The Bait: Hijacked Telegram Accounts and Fake Contacts
According to Monahan, the campaign marks a departure from recent attacks that relied on deepfakes with artificial intelligence. Instead, it uses a more direct approach, based on hijacking Telegram accounts and using loop footage recycled from real interviews.
The DPRK threat actors are still ripping off too many of you through their fake meetings on Zoom/Teams," he said Monahan on X
🚨 WARNING (AGAIN)
- Tay 💖 (@tayvano_) December 13, 2025
DPRK threat actors are still rekting way too many of you via their fake Zoom / fake Teams meets.
They're taking over your Telegrams -> using them to rekt all your friends.
They've stolen over $300m via this method already.
Read this. Stop the cycle. 🙏 pic.twitter.com/tJTo9lkq0v
The attack typically begins after hackers gain control of a trusted Telegram account, often belonging to a venture capitalist or a person the victim previously met at a conference. Attackers then exploit previous chat history to appear legitimate, leading the victim to a video call on Zoom or Microsoft Teams via a disguised Calendar link.
The Staging: Recycled Videos and Fake Technical Problems
Once the meeting has started, the victim views what appears to be a feed live video of their contact. In reality, it is often a recycled recording from a podcast or public appearance.
The decisive moment usually comes following a simulated technical problem. After citing audio or video problems, the attacker urges the victim to re-establish the connection by downloading a specific script or updating a Software Development Kit (SDK). The file delivered at that point contains the malicious payload.
The Final Blow and the Role of RAT
Once installed, the malware -often a Remote Access Trojan (RAT)-gives the attacker total control over the system. The RAT drains cryptocurrency wallets and exfiltrates sensitive data, including internal security protocols and Telegram session tokens, which are then used to target the next victim in the network.
Monahan warned that this specific carrier "weaponises professional courtesy". The hackers rely on the psychological pressure of a 'business meeting' to force an error in judgement, turning a troubleshooting request for routines into a fatal security breach. For industry participants, any request to download software during a call is now considered an active attack signal.
This strategy of 'fake meetings' is part of a broader offensive by DPRK actors, who have embezzled an estimated $2 billion from the industry over the past year, including the Bybit breach.
