North Korean Hackers Target Crypto Industry with Sophisticated Attacks
North Korean hackers have set their sights on the crypto industry, with a recent attack targeting JP Thor, the co-founder of Thorchain, resulting in a loss of approximately $1.3 million. The attack, which utilized a combination of social engineering and zero-day exploits, has raised concerns about the increasing sophistication of North Korean hacking groups.
The attack began with a compromised Telegram account belonging to a friend of Thor’s, who was lured into a Zoom call that appeared to be legitimate. During the call, Thor was presented with a convincing Deepfake video of his friend, which unknowingly triggered a malicious script. The script copied Thor’s iCloud documents folder into a temporary directory, allowing the attackers to access sensitive data without raising immediate alarms.
Attackers Exploit Zero-Day Vulnerability to Drain MetaMask Wallet
Thor’s MetaMask wallet, which was connected to an inactive Chrome user profile and stored in his iCloud keychain, was drained without pop-up warnings or requests for administrator access. It is believed that the hackers exploited a zero-day vulnerability to penetrate Thor’s system and extract the wallet keys. The team has since offered a bounty to recover the stolen funds, with a blockchain message tied to the compromised wallet stating that a reward will be paid for the return of the stolen assets, provided that no legal action is taken if the assets are returned within 72 hours.
This attack is part of a larger trend of North Korean-related groups using advanced tactics, including Deepfake imitations, social engineering, and malware, to compromise high-profile crypto targets. Earlier this year, several crypto executives were targeted by similar attacks, resulting in significant losses. These attacks often involve AI-supported language or video overlays, malicious update entry requests, and compromised device security.
North Korean Hacker Playbook: A Growing Threat to the Crypto Industry
The frequency and sophistication of these attacks have raised concerns among security experts and industry leaders, who are warning the industry to treat video calls with skepticism and to be aware that seeing a familiar face or hearing a familiar voice is no longer a reliable trust marker in the face of AI-powered Deepfakes. North Korea-bound cyber groups have stolen over $2 billion in 2025 alone, with major incidents including the $1.5 billion Bybit hack in February, which was attributed to North Korea by TRM and law enforcement authorities.
The crypto industry must remain vigilant and take proactive measures to protect against these types of attacks. As the use of Deepfakes and social engineering tactics continues to evolve, it is essential for individuals and organizations to prioritize security and to stay informed about the latest threats and vulnerabilities. For more information on this and other crypto-related news, visit https://crypto.news/thorchain-co-founder-loses-1-3m-to-north-korean-zoom-scam/.
