North Korean Hackers Drain Crypto Executive's Savings in Phishing Attack

Mehdi Farooq, a former executive of Animoca Brands and current investment partner at Hypersphere, recently disclosed that he lost a significant portion of his life savings in a phishing attack orchestrated by the North Korean hacking group Lazarus. The attack began when Farooq received a Telegram message from Alex Lin, a professional acquaintance, who requested to schedule a call using Farooq's Calendly link. The next day, Lin messaged again, asking to switch the call to Zoom Business for compliance reasons, stating that one of his limited partners, Kent, would be joining.

The Zoom meeting appeared legitimate, with both participants having their cameras on but no audio. In the Zoom chat, they claimed to have technical issues and asked Farooq to update his Zoom client. Within minutes of installing the fake update, six of Farooq’s crypto wallets were drained. It was only afterward that Farooq realized Lin’s account had been compromised. The scheme was later linked to Lazarus, a North Korean state-sponsored hacking group known for its cybercrime activities.

Farooq described the experience as surreal and violating, but he also highlighted the support he received from whitehat hackers who offered help when he was at his lowest. He mentioned that he was compromised by a threat known as dangrouspassword, which is affiliated with the Democratic People's Republic of Korea (DPRK).

This incident is not an isolated case. Recently, Manta Network co-founder Kenny Li narrowly avoided a similar fate when attackers impersonated known contacts during a Zoom call, used fake video feeds, and insisted on a suspicious Zoom update download. Li's suspicion led him to suggest switching communication platforms, prompting the attackers to block him and erase messages.

Security analysts have noted that this attack vector, where hackers pose as trusted contacts, fake technical glitches, and push malware disguised as Zoom updates, is a hallmark of Lazarus operations. This method has been used repeatedly to steal millions in crypto. Other crypto industry leaders, including founders from Mon Protocol, Stably, and Devdock AI, have reported similar phishing attempts, underscoring the widespread and targeted nature of these attacks.

The incident serves as a stark reminder of the evolving tactics used by cybercriminals to exploit trust and technical vulnerabilities. It also highlights the importance of vigilance and the need for enhanced security measures in the crypto industry. As the threat landscape continues to evolve, industry leaders and individuals must remain vigilant and proactive in protecting their digital assets.