Manta Network Co-Founder Targeted in Lazarus Group Phishing Attack

Kenny Li, co-founder of Ethereum layer-2 project Manta Network, recently disclosed that he was targeted in a sophisticated Zoom phishing attempt by the Lazarus Group. The incident involved a known contact on Telegram arranging a Zoom call, during which familiar faces appeared on camera but no one spoke. A prompt then urged Li to download a script to fix his audio, which he found suspicious and immediately left the call.

Li attempted to verify the contact by suggesting a switch to Google Meet, but the impersonator refused and subsequently blocked Li. The co-founder noted that the phishing attempt could have involved deepfakes or recordings from previous calls where other individuals were infected or hacked. While Li was not certain that the attempt was by Lazarus Group, security researchers indicated that the tactics matched the group's modus operandi.

This incident is part of a broader pattern of attacks attributed to Lazarus, a North Korean state-backed hacking unit known for some of the largest crypto heists in history. The group has been linked to the February hack of Bybit, which resulted in a significant financial loss. Lazarus is reportedly evolving its strategies, incorporating deepfake video, malware, and social engineering to deceive even experienced crypto executives.

Research from Paradigm security researcher Samczsun and Google’s Threat Intelligence Group (GTIG) reveals that Lazarus is just one arm of the DPRK’s extensive cyber apparatus. The regime employs various hacker subgroups, including AppleJeus, APT38, and TraderTraitor, using tactics such as fake job offers, Zoom calls, malware-laced npm packages, and extortion. Nick Bax of the Security Alliance (SEAL) warned in March about the group's tactics, which exploit human psychology to trick victims into downloading malware.

Giulio Xiloyannis, co-founder of the Web3 platform for on-chain games and IPs MON Protocol, shared a similar experience. A hacker impersonating a project lead asked him to switch to a Zoom link mid-call, which he found suspicious and reported to warn others. According to a recent GTIG report, North Korean IT workers are infiltrating teams across various regions, masquerading as developers using fake resumes and forged documents.

Samczsun urged firms to adopt basic defenses such as least privilege access, two-factor authentication (2FA), device segregation, and to contact groups like SEAL 911 in the event of a breach. The evolving tactics of the Lazarus Group highlight the growing threat posed by North Korean hackers to the crypto industry, necessitating heightened vigilance and robust security measures.