North Korea cybercriminals have executed a strategic pivot in their social engineering campaigns. They have stolen more than $300 million by impersonating trusted industry figures in fake video meetings.

The warning, detailed by MetaMask security researcher Taylor Monahan (known as Tayvano), outlines a sophisticated “long-con” targeting crypto executives.

How North Korea’s Fake Meetings Are Draining Crypto Wallets

According to Monahan, the campaign departs from recent attacks that relied on AI deepfakes.

Instead, it uses a more straightforward approach built on hijacked Telegram accounts and looped footage from real interviews.

The attack typically starts after hackers seize control of a trusted Telegram account, often belonging to a venture capitalist or someone the victim previously met at a conference.

Then, the malicious attackers exploit prior chat history to appear legitimate, guiding the victim to a Zoom or Microsoft Teams video call via a disguised Calendly link.

Once the meeting starts, the victim sees what appears to be a live video feed of their contact. In reality, it is often a recycled recording from a podcast or public appearance.

The decisive moment typically follows a manufactured technical issue.

After citing audio or video problems, the attacker urges the victim to restore the connection by downloading a specific script or updating a software development kit, or SDK. The file delivered at that point contains the malicious payload.

Once installed, the malware—often a Remote Access Trojan (RAT)—grants the attacker total control.

It drains cryptocurrency wallets and exfiltrates sensitive data, including internal security protocols and Telegram session tokens, which are then used to target the next victim in the network.

Considering this, Monahan warned that this specific vector weaponizes professional courtesy.

The hackers rely on the psychological pressure of a “business meeting” to force a lapse in judgment, turning a routine troubleshooting request into a fatal security breach.

For industry participants, any request to download software during a call is now considered an active attack signal.

Meanwhile, this “fake meeting” strategy is part of a broader offensive by Democratic People’s Republic of Korea (DPRK) actors. They have stolen an estimated $2 billion from the sector over the past year, including the Bybit breach.