North Korean hackers continue to focus on the crypto industry, this time on a co-founder of Thorchain in a refined attack.
Summary
- Co-founder JP Thor, Thorchain, lost around $ 1.3 million after North Korean hackers have lured him to a hem Deepfake scam.
- Attackers used a hacked telegram account, a fake video conversation and a Zero-Day exploit to gain access to Thor’s files and to dispose of his Metamask portion.
- North Korean cyber groups alone stolen more than $ 2 billion in 2025, with large incidents such as the Bybit Hack of $ 1.5 billion.
According to a recent alert From blockchain security company Peckshield, a Thorchain director lost around $ 1.3 million to cyber attackers. Further investigation revealed the victim as co-founder of Thorchain JP Thor, who told the test in a detailed post on X and shared screenshots of the incident.
Thor explained that the attack began with the hacked telegram account of a friend who attracted him to participate in a zoom call that seemed legitimate. During the short two-minute session, he came across a convincing Deepfake video of his friend and unconsciously caused a malignant script.
The script began to copy its folder with iCloud documents to a temporary folder, giving the attackers access to sensitive data without increasing immediate alarms.
Thor said his compromised Metamask wallet, which was linked to an inactive Chrome user profile and stored in his iCloud-key hanger, was emptied without pop-up warnings or requests for admin access. He believes that the hackers have used an unknown Zero-Day vulnerability to penetrate his system and extract the portfolios.
In attempts to restore the stolen funds, the team has now offered a premium. A blockchain bush bound to the hacked wallet states that a reward will be paid for the return of the stolen assets, which does not promise legal steps if the assets are sent back within 72 hours.
This hacking technique reflects a wider trend that has already been seen this year, where North Korean connected groups are increasingly using deep fakes, social engineering and advanced malware to jeopardize high-quality crypto goals.
North -Korean Hackers Playbook against Crypto -execs
Earlier this year, several crypto managers were the target due to a similar pattern of deepfake imitations during video calls, which resulted in considerable losses. These attacks make use of advanced tactics, in which often AI-assisted speech or video mourning, malignant update prompts and compromised device protection.
The frequency of these attacks attracted warning from security experts and industrial figures, which encouraged the industry to treat video verification with skepticism, and noted that seeing a friendly face or hearing a well -known voice is no longer a reliable trust marker in the light of AI Deepfakes.
Throughout the year, North Korea have been attacking conflicted cyber groups on both institutions and individuals in the crypto room considerably escalated. The scale of thefts has already been measured in billions of dollars, and the tactics are diversified further than traditional Exchange Hacks and Deepfake Zoom calls for vacancy, identity fraud and infiltration of developer networks.
The most headline-grabbering loss was the theft of $ 1.5 billion from Bybit in February, which TRM and law enforcement were confidently attributed to North Korea. That single event is a large part of the $ 2.17 billion losses that have been reported this year in Crypto -theft.
