North Korean government-supported hackers have stolen over $300 million in digital cash, not by using complicated code hacks to gain access, but by using a much more powerful method of attack: the use of trust against someone in power. This North Korea crypto scam represents an evolution of cybercrime driven by state-sponsored hackers, as it combines social engineering, fake identities, and fake Zoom call malware to create a coordinated effort that defeats traditional security methods and leads to large-scale cryptocurrency theft.
What Is the North Korea Crypto Scam?
In contrast to traditional phishing attacks, which rely on randomly generated lists and emails that appear dubious and unrelated to anyone, this one relies solely on previously established ties, making the North Korea crypto scam far more dangerous.
According to Security Alliance (SEAL), a not-for-profit organization focused on cybersecurity, North Korean cybercriminals conduct many cybercrimes by pretending to be someone they know on platforms such as Telegram. After being invited to a Zoom meeting through a direct link sent by an attacker impersonating a real person’s contact, the victim will see an authentic-looking video feed of the compromised identity, most likely taken from a previous unauthorized breach.
This creates an atmosphere of trust for the continuation of the attack because the victim will not suspect anything. Upon joining, the user (victim) will then receive a request to resolve a fictitious technical problem and be given a file to fix it, which is fake Zoom call malware designed to enable cryptocurrency theft.
How the Attack Works: Step-by-Step Breakdown
- Attack a Reliable Contact
The attacker will infiltrate someone associated with or connected to the company, a fellow worker, an associate, or someone in the same industry. They will gather video, audio, and behavioral data needed to be able to mimic the target, a common technique used by state-sponsored hackers.
- Contact Using Telegram
Once they can access the target’s account, they will contact them through the account and request to schedule a Zoom call with them. The request and the overall communication will seem like a normal and reasonable request, masking the underlying crypto fraud investigation risk.
- Use of Pre-recorded Videos
In the Zoom call, the victim will be shown a video of the reliable contact that was recorded earlier. This will confirm and validate that the call is legitimate, strengthening the deception used in this North Korea crypto scam.
- Create a Technical Issue and Send Malware
The attacker will inform the victim that there is an issue with audio on the Zoom call and send the victim a file that supposedly solves the problem. The attacker will install fake Zoom call malware through that file and start extracting the following items from the victim’s computer:
- Private keys
- Login Details
- Session Tokens
- End the Call and Begin to Transfer Assets
Once the call has ended normally, the attacker will now have total access to the victim’s digital assets and will execute all the transpired transfers of assets, resulting in severe cryptocurrency theft. Also, the attacker could continue to carry on with the use this account to continue spreading the attacks.
Why This Attack Is More Dangerous Than Traditional Crypto Fraud?
This is not a case of cybercrime opportunism; rather, it’s an intelligence operation sponsored by a state and executed by state-sponsored hackers.
The operation has moved away from using technological means (like hacks) towards using psychological means (like gaining people’s confidence). The attackers are able to gain access to networks without having to circumvent sophisticated security systems, because they exploit trust and familiarity.
North Korea has a proven track record of using cyber ops to generate revenues for the state and evade economic sanctions. Because cryptocurrency is both globally liquid and pseudonymous, it has become one of the primary targets for cryptocurrency theft.
What makes this operation unique is that it relied on deception and required deep crypto fraud investigation capabilities to uncover:
- People’s real identities were used, rather than invented identities
- Real video footage was used rather than still images
- Social trust was used against users before any type of technological exploitation occurred
Immediate Response: What to Do If You’re Compromised
If you suspect possible exposure from a Zoom interaction, you should take the following immediate actions to support crypto asset recovery:
- Disconnect the compromised computer from all networks
- Turn off the entire computer
- Eliminate any assets potentially exposed on that computer to another, unexposed computer
- Change all passwords associated with compromised computers
- Enable two-factor authentication on all accounts
- Secure all messaging systems to prevent the continued dissemination of information
- Hire a blockchain forensics firm to initiate digital asset tracing and begin crypto asset recovery
The Blockchain Leaves a Permanent Trail
Cryptocurrency transactions may appear complex; however, they are not imperceptible.
All transactions take place in a public ledger known as the blockchain. This enables blockchain forensics and digital asset tracing to:
- Map the flow of money through various wallets
- Identify the methods used to launder money
- Connect wallet addresses to exchanges and jurisdictions
- Compile evidence to support a legal case to recover money and strengthen crypto asset recovery efforts
How Lionsgate Intelligence Network Responds?
Lionsgate Intelligence Networks focuses on:
- Blockchain forensics
- Digital asset tracing
- Cryptocurrency theft investigations and crypto fraud investigation
They assist U.S. federal agencies such as the FBI, Department of Homeland Security (DHS), Secret Service, and IRS Criminal Investigation, utilizing intelligence-grade methodologies to trace and recover stolen assets.
The team does more than document their findings federally; they track the money using advanced blockchain forensics.
Final Insight
The North Korea crypto scam heralds a new category of cyber threats where the most vulnerable point to exploit is human trust. Technical defence alone can no longer be relied upon as the answer.
Now we must include awareness, verification procedures, and rapid response as part of securing digital assets from state-sponsored hackers and preventing cryptocurrency theft. If you or your organization has encountered questionable activity relating to cryptocurrency transactions or has experienced an impersonation via video call, prompt action supported by digital asset tracing and crypto asset recovery specialists can substantially increase your chances of recovering funds.
Request a Confidential Consultation: https://www.lionsgateNetwork.com/contact
