It’s a lesson in how trust still gets people owned.
Riccardo (yes, “The Boss”) came across this article, it lays it out clearly: North Korean threat actors are stealing crypto not by breaking blockchains, but by breaking people. Fake Zoom meetings. Fake investors. Fake job interviews. Real victims. Real money gone, vanished, poof!
The playbook is elegant and brutal. Targets are contacted through legitimate-looking channels. Calendars are shared (first rule of security: do not rely on calendars you do not have control over). Zoom links look clean. Cameras turn on. Small talk happens. Then comes the pivot: a request to install a “fix,” a “plugin,” a “private build,” or to screen-share something sensitive. From there, malware does the rest. Wallets drained. Keys exfiltrated. Funds routed through mixers, DeFi hops, and eventually into state-backed laundering pipelines.
No 0day needed. Just human access.
Let’s be clear about the monetary angle: this isn’t random cybercrime. This is “industrialized” theft used to fund a sanctioned regime.
Crypto is the perfect rail: fast settlement, weak attribution, global reach. Every compromised wallet isn’t just a personal loss, it’s fuel for missile programs, intelligence ops, and the next wave of attacks. The myth that crypto is “outside geopolitics” died years ago. We’re just pretending not to notice the corpse.
What makes this campaign dangerous isn’t sophistication. It’s patience (read this: https://www.helpnetsecurity.com/2025/11/18/open-weight-ai-model-security/).
North Korean operators will sit in meetings for weeks. They’ll build rapport. They’ll talk tokenomics, roadmaps, valuations.
They understand founders, developers, and investors because they’ve studied them.
This is social engineering at state scale, wrapped in Web3 aesthetics.
A few things should bother you deeply:
- meetings are now an attack surface
- screen sharing is a privilege, not a neutral action
- “just install this” is the new “click here”
- crypto custody without opsec is fantasy security
From a defender’s perspective, this blurs lines: traditional phishing awareness doesn’t cover live video interactions. SOC tools don’t flag “friendly conversation.” And most crypto teams still operate with startup reflexes: speed over verification, trust over controls, convenience over containment.
My take is simple and strongly uncomfortable: if your security model assumes that meetings are safe by default, you don’t have a security model. You have hope.
This is where Zero Trust stops being a buzzword and starts being personal. Verify identities, lock down endpoints used for calls, separate wallets from work machines. Treat every external interaction as potentially hostile, even when the faces look friendly and the accents sound right.
Def crypto isn’t broken… but human behavior around it is.
If you’re building, investing, or operating in this space, act now.
- review how meetings are handled
- audit who can install what
- isolate wallets
- train people on live social engineering, not just emails (we can help)
The matter isn’t whether North Korea will keep doing this, we all know they will.
The real question, then, is how many times the industry needs to bleed before it learns that trust is the most expensive vulnerability of all?
Chief Marketing Officer • social engineer OSINT/SOC/HUMINT • cyberculture • security analyst • polymath • COBOL programmer • nerd • retrogamer
