North Korean hackers continue to target the crypto industry, this time striking a THORChain co-founder in a sophisticated attack.
Summary
- THORChain co-founder JP Thor lost about $1.3 million after North Korean hackers lured him into a Zoom deepfake scam.
- Attackers used a hacked Telegram account, a fake video call, and a zero-day exploit to access Thor’s files and drain his MetaMask wallet.
- North Korean cyber groups have stolen more than $2 billion in 2025 alone, with major incidents like the $1.5 billion Bybit hack.
According to a recent alert from blockchain security firm PeckShield, a THORChain executive lost roughly $1.3 million to cyber attackers. Further investigation revealed the victim as THORChain co-founder JP Thor, who recounted the ordeal in a detailed post on X and shared screenshots of the incident.
Thor explained that the attack began with a friend’s hacked Telegram account, which lured him into joining a Zoom call that appeared legitimate. During the brief two-minute session, he encountered a convincing deepfake video of his friend and unknowingly triggered a malicious script.
The script began copying his iCloud documents folder to a temporary directory, allowing the attackers to access sensitive data without raising immediate alarms.
Thor said his compromised MetaMask wallet, which was linked to an inactive Chrome user profile and stored in his iCloud Keychain, was drained without any pop-up warnings or requests for admin access. He believes the hackers exploited an undisclosed zero-day vulnerability to penetrate his system and extract the wallet keys.
In efforts to recover the stolen funds, the team has now offered a bounty. A blockchain message tied to the hacked wallet states that a reward will be paid for the return of the stolen assets, promising no legal action if the assets are sent back within 72 hours.
This hack technique mirrors a broader trend already seen this year, where North Korean-linked groups increasingly use deepfakes, social engineering, and advanced malware to compromise high-value crypto targets.
North Korean hackers’ playbook against crypto execs
Earlier this year, multiple crypto executives were targeted through a similar pattern of deepfake impersonations during video calls, resulting in significant losses. These attacks use advanced tactics, often involving AI-assisted voice or video disguise, malicious update prompts, and compromised device security.
The frequency of these attacks drew warning from security experts and industry figures alike, who urged the industry to treat video verification with skepticism, noting that seeing a friendly face or hearing a familiar voice is no longer a reliable trust marker in light of AI deepfakes.
Throughout the year, North Korea-linked cyber groups have significantly escalated attacks on both institutions and individuals across the crypto space. The scale of thefts is already measured in billions of dollars, and the tactics have diversified beyond traditional exchange hacks and deepfake Zoom calls to fake job offers, identity fraud, and infiltration of developer networks.
The most headline-grabbing loss was the $1.5 billion theft from Bybit in February, which TRM and law enforcement have confidently attributed to North Korea. That single event makes up a large share of the $2.17B service losses reported so far this year in crypto theft.
