The attackers weaponize professional courtesy itself
In the quiet architecture of professional trust, North Korean operatives have found a door left open — the assumption that a familiar face on a screen means safety. Over months of patient infiltration, hackers hijacked Telegram accounts, studied private conversations, and staged convincing video calls using recycled footage to impersonate known colleagues, ultimately stealing $300 million in cryptocurrency from executives who had no reason to doubt what they were seeing. The operation is part of a broader campaign estimated to have extracted $2 billion from the crypto industry in a single year, a reminder that in the digital age, trust itself has become a vulnerability.
- North Korean hackers are running a slow, methodical con — breaching trusted Telegram accounts and spending weeks studying relationships before ever making contact with a target.
- Victims join what appears to be a routine business video call, only to be watching a looped recording of a colleague pulled from a podcast or public appearance, with no way to tell the difference in real time.
- A staged technical glitch mid-call becomes the weapon — the request to download a 'fix' installs a Remote Access Trojan that hands attackers full control of the victim's machine, wallets, and network credentials.
- Once inside a system, attackers drain crypto holdings, harvest security protocols, and steal Telegram session tokens to immediately pivot and repeat the cycle on the next person in the victim's contact list.
- Security researcher Taylor Monahan has publicly named the tactic and issued a stark warning: any software download request during a video call should be treated as a breach in progress, not a courtesy to extend.
A North Korean hacking operation has stolen more than $300 million from cryptocurrency executives by turning professional trust into a weapon. The scheme begins not with a dramatic intrusion, but with a quiet one — a single compromised Telegram account belonging to a venture capitalist, conference organizer, or other figure familiar to the eventual target. From inside that account, attackers read conversation histories, learn the texture of relationships, and wait until they understand enough to be convincing.
When the moment comes, the target receives a calendar invitation to a video call on Zoom or Microsoft Teams — apparently from someone they know. They join, and they see a face they recognize. What they are actually watching is a recycled recording, looped footage from a podcast or public talk, played back in real time to simulate a live conversation. The illusion is designed to feel ordinary.
Midway through the call, the impersonator reports a technical problem — audio cutting out, video glitching — and asks the victim to download a script or software update to resolve it. The file is a Remote Access Trojan. Once installed, it gives attackers complete control: cryptocurrency wallets are drained, security credentials harvested, and Telegram session tokens stolen to begin the process again with the next person in the victim's network.
MetaMask researcher Taylor Monahan, who first documented the campaign publicly, identified the psychological engine driving it — the professional instinct to be helpful, to not seem paranoid, to accommodate a colleague's simple request. The attackers have learned to exploit courtesy itself. Her guidance was unambiguous: a request to download anything during a video call is a warning sign, not a favor to grant.
This theft does not stand alone. North Korean cyber actors are estimated to have taken $2 billion from the cryptocurrency industry over the past year, a figure that includes the Bybit breach and many other operations. The patience embedded in this particular campaign — the weeks spent reading private messages, the technical precision of deploying malware through social theater — points to an organized, well-resourced effort. These are not opportunists. They are architects of trust, building it carefully and collapsing it at exactly the right moment.
A group of North Korean hackers has stolen more than $300 million from cryptocurrency executives through an elaborate impersonation scheme that exploits the trust people place in their professional networks. The operation, which security researchers have characterized as a "long con," begins with a breach of a single Telegram account—typically belonging to a venture capitalist, conference organizer, or other figure known to the target. Once inside, the attackers study the conversation history to understand the relationship and establish credibility before making their move.
The next phase involves a video call invitation. The victim receives what appears to be a calendar link to a meeting on Zoom or Microsoft Teams, ostensibly from someone they know and trust. When they join, they see what looks like a live video feed of their contact. In reality, the attackers are playing a recycled recording—often footage pulled from a podcast appearance or public presentation—looped back to the victim in real time. The deception is designed to feel seamless, to feel like a normal business conversation.
Then comes the trap. Midway through the call, the impersonator claims to be experiencing technical difficulties. Audio is cutting out, or the video feed is glitching. To fix the problem, they ask the victim to download a script or install a software update. The file is malicious. Once installed on the victim's machine, it deploys a Remote Access Trojan—malware that gives the attackers complete control over the system. From there, they drain cryptocurrency wallets, harvest sensitive security protocols, and extract Telegram session tokens that allow them to pivot to the next target in the victim's network.
MetaMask security researcher Taylor Monahan first documented the campaign in a public alert. She noted that the operation exploits what might be called the psychology of professional obligation—the pressure people feel to be helpful and accommodating in a business context, the reluctance to seem paranoid or difficult. By framing the malware download as a simple technical fix, the attackers weaponize courtesy itself. Monahan's advice was blunt: any request to download software during a video call should be treated as a red flag, a sign that something is fundamentally wrong.
This $300 million theft is not an isolated incident. North Korean cyber actors have stolen an estimated $2 billion from the cryptocurrency industry over the past year, a figure that includes the Bybit breach and numerous other operations. The sophistication of this particular campaign—the patience required to study conversation histories, the technical skill needed to deploy RAT malware, the social engineering acumen to make a recycled video feed feel authentic—suggests an organized, well-resourced operation. The attackers are not rushing. They are building relationships, establishing trust, and then weaponizing that trust at the moment it matters most.
Notable Quotes
The operation weaponizes professional courtesy, exploiting the psychological pressure of business meetings to induce errors in judgment— Taylor Monahan, MetaMask security researcher
Any request to download software during a call should be considered an active attack signal— Taylor Monahan, MetaMask security researcher
The Hearth Conversation Another angle on the story
Why does this attack work so well against people who should know better? These are executives in crypto—they understand security.
Because the attack doesn't ask them to be stupid. It asks them to be normal. A Telegram message from someone they know, a video call that looks real, a technical problem that needs solving. The psychology is the vulnerability, not the technology.
But the video is fake. Surely people notice that?
Not always. If it's a short call, if the lighting is right, if the person is focused on the conversation rather than scrutinizing the image, a recycled recording can pass. And there's no reason to be suspicious—you initiated the call with someone you trust.
Once the malware is installed, what exactly can they do?
Everything. They see your screen, they control your keyboard and mouse, they access your files. They can watch you type your passwords in real time. They can extract your crypto wallet keys, your internal security documents, your email. And they can use your Telegram account to do it all over again with your contacts.
How many people have fallen for this?
Enough to steal $300 million in a single campaign. That's not dozens of victims. That's a network of them, each one opening a door to the next.
What's the defense?
Skepticism about unsolicited downloads, even from people you know. Out-of-band verification—call them back on a number you already have. And understanding that a real technical support person will never ask you to download something during a call without warning you first, without giving you time to verify.