The Bit Gazette

Tag: phishing attacks

Crypto firms compromised after North Korea-linked hackers deploy deepfake video calls

North Korean hackers used AI-generated deepfakes to impersonate a prominent crypto CEO during a Zoom call, tricking an executive into downloading malware that compromised their company’s systems, according to a new report from Google’s Mandiant threat intelligence unit.

The attack, attributed to the North Korea-linked group UNC1069, represents a dangerous evolution in social engineering tactics as hackers blend artificial intelligence with trusted professional tools to disarm their targets.

The findings highlight how North Korean hackers continue to evolve their playbook as digital asset adoption grows and security defenses harden. Rather than relying on crude phishing emails, state-linked actors are now exploiting professional tools like Zoom, Telegram, and Calendly to appear legitimate and disarm their targets.

AI Joins the Cyber Arsenal

According to Mandiant, the attack was attributed to UNC1069, a financially motivated threat group active since at least 2018 and linked to Pyongyang. Researchers say North Korean hackers have steadily shifted their focus away from traditional finance toward the Web3 sector, where high-value assets and fast-moving teams create attractive attack surfaces.

“Mandiant has observed this threat actor evolve its tactics, techniques, and procedures, tooling, and targeting,” the company said in its report. Since 2023, the group has prioritized centralized exchanges, blockchain developers, fintech firms, and venture capital professionals.

This evolution mirrors a broader pattern in which North Korean hackers increasingly treat crypto not just as a target, but as a strategic revenue stream.

A Compromised Contact Opens the Door

The intrusion began with the takeover of a Telegram account belonging to a senior crypto executive. Using that trusted identity, North Korean hackers initiated casual conversations with the eventual victim, carefully building rapport over time.

Once trust was established, the attackers sent a Calendly invitation for a video meeting. The link directed the target to a spoofed Zoom domain hosted on infrastructure controlled by the threat actors, a subtle detail easy to miss during a busy workday.

This method underscores how North Korean hackers are exploiting familiar workflows rather than forcing victims into suspicious or unusual behavior.

Deepfake Deception on Camera

During the call, the victim reported seeing what appeared to be a real-time video of a well-known crypto CEO. Investigators believe North Korean hackers likely used AI-generated deepfake technology to impersonate the executive, adding credibility to the meeting.

“While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the reported ruse is similar to previously documented incidents involving alleged deepfakes,” the report noted.

Even without definitive proof, the scenario aligns with earlier cases where North Korean hackers used synthetic media to bypass human skepticism.

Malware Delivered as ‘Tech Support’

The attackers intentionally staged audio issues during the meeting, a tactic used to justify asking the victim to run troubleshooting commands. Those instructions, tailored separately for macOS and Windows, secretly launched the malware infection process.

Once executed, North Korean hackers deployed an unusually large toolkit on the victim’s machine. Mandiant identified seven distinct malware families designed to harvest credentials, browser cookies, Telegram session data, and sensitive local files.

The volume of tooling suggested a highly targeted operation, aimed at extracting maximum value from a single compromised individual.

Dual Motives: Theft and Future Access

Investigators concluded that North Korean hackers had two primary objectives: immediate access to assets that could enable cryptocurrency theft, and long-term intelligence gathering to fuel future social engineering campaigns.

By stealing contact lists, credentials, and communication histories, attackers can replicate the same trusted-entry tactics across multiple organizations.

“This type of intrusion isn’t just about one theft,” said John Hultquist, Chief Analyst at Google Mandiant. “It’s about building a pipeline of access that can be reused again and again.”

Part of a Much Bigger Pattern

The incident is far from isolated. In December 2025, BeInCrypto reported that North Korean hackers had siphoned more than $300 million by impersonating trusted industry figures during fraudulent Zoom and Microsoft Teams meetings.

On a yearly scale, the numbers are even more alarming. Blockchain analytics firm Chainalysis estimates that North Korean hackers were responsible for $2.02 billion in stolen digital assets in 2025, representing a 51% increase year over year.

Those figures reinforce concerns that cybercrime has become a significant funding mechanism for the regime.

AI Raises the Stakes

Chainalysis has also observed that scam clusters linked on-chain to AI service providers operate with higher efficiency than traditional groups. This suggests North Korean hackers are gaining leverage by integrating automation and generative tools into their operations.

With deepfake software becoming cheaper and more accessible, experts warn that convincing impersonations may soon become the norm rather than the exception.

A Security Race Against Time

For the crypto industry, the rise of AI-enabled attacks presents a stark challenge. North Korean hackers are moving faster than many security teams can adapt, blurring the line between real and fake interactions.

As these tactics spread, the coming years will test whether exchanges, developers, and investors can strengthen verification processes and human awareness quickly enough to counter one of the most persistent threats in digital finance.

02/11/2026
Single victim loses $50 million in Ethereum address poisoning attack as scam claims $62 million

A single Ethereum user lost $50 million in December after unknowingly sending funds to a fraudulent address, part of a devastating two-month address poisoning spree that has drained $62 million from just two victims, according to blockchain security firm ScamSniffer.

“Two victims. $62M gone,” – ScamSniffer, Web3 anti-scam firm, in a Feb. 8 post on X.

Both incidents followed the same pattern: attackers inserted nearly identical addresses into transaction records, relying on users to copy and paste from recent activity without verifying the full wallet string.

How attackers are industrializing address poisoning campaigns

Address poisoning attacks exploit routine wallet workflows. Scammers monitor blockchain transactions, generate vanity addresses that closely resemble legitimate ones, and send tiny dust transfers to targets.

These small transactions insert fraudulent addresses into a user’s activity log.

When users later copy an address from that history instead of manually verifying it, funds are transferred directly to the attacker.

Security researchers say the tactic has expanded rapidly following Ethereum’s late-2025 Fusaka upgrade, which reduced transaction costs and made large-scale scam operations cheaper to run.

Millions of low-value transactions are now reportedly sent daily, many intended solely to prepare future theft attempts.

The surge in spam activity is also skewing network metrics. Rising transaction counts and active wallet numbers increasingly include automated or malicious traffic rather than genuine economic demand.

Investigations have linked some poisoning campaigns to organised groups that reuse infrastructure across thousands of wallets.

Signature phishing losses also spike sharply

Alongside address poisoning, ScamSniffer documented a significant rise in signature-based phishing during January 2026.

The firm recorded $6.27 million in losses across 4,741 victims, a 207% month-over-month increase in value terms.

Two wallets accounted for approximately 65% of the total damage, including major thefts of $3.02 million from SLVon and XAUt tokens and $1.08 million from aEthLBTC through malicious approval requests.

These attacks typically present users with transaction prompts that appear routine. Once signed, they grant scammers persistent permission to access tokens, enabling withdrawals without further authorisation.

The rise in signature phishing represents an additional operational risk layer that can bypass conventional security assumptions.

Industry calls for stricter verification habits

Security firms are urging investors to adopt stricter transaction verification practices, including manually confirming full wallet addresses and avoiding copying from transaction history.

Analysts expect both address poisoning and signature phishing to remain persistent threats as transaction fees stay relatively low and automation tools become more accessible to attackers.

The recent incidents demonstrate that even as Ethereum infrastructure evolves, user-level operational security remains a critical line of defence.

Without improvements in wallet interfaces and verification habits, routine actions, such as copy-and-paste transfers, are likely to continue generating disproportionate financial losses across the ecosystem.

02/10/2026
Blockchain sleuth ZachXBT identifies Coinbase impersonator who stole $2M from crypto users

A Canadian man posing as a Coinbase support executive has been publicly identified after stealing more than $2 million from crypto users over the past year.

Blockchain investigator ZachXBT traced the fraudster to Abbotsford, British Columbia, after the suspect inadvertently exposed his identity during a recorded support call and flaunted stolen funds on social media.

In a Dec. 29 post on X, ZachXBT detailed how the Canadian crypto scammer convinced users he was a legitimate Coinbase support agent using a mix of spoofed communications and psychological manipulation.

By cross referencing Telegram chat screenshots, social media activity, and on-chain wallet movements, the investigator identified the suspect, known online as “Haby” or “Havard.”

According to ZachXBT, the Canadian crypto scammer accumulated over $2 million in the past year alone spending the proceeds on rare social media usernames, bottle service, gambling, and other luxury activities.

A leaked video shared by the investigator shows the Canadian crypto scammer impersonating Coinbase support during a live call during which he inadvertently exposed an email address and his Telegram handle critical clues that tied his online identities together.

The fraudster reportedly cycled through expensive Telegram usernames and deleted old accounts to obscure his trail. However, the Canadian crypto scammer ultimately undermined his own operation by publicly flaunting a lavish lifestyle on social media. These posts allowed ZachXBT to connect the dots and reportedly trace the individual’s location to Abbotsford.

Coinbase users remain prime targets

Due to its scale and brand recognition, Coinbase continues to attract attackers using tactics ranging from phishing emails to impersonation scams.

In most cases, funds stolen by a Canadian crypto scammer are rapidly laundered through complex transaction paths or privacy focused assets making recovery extremely difficult without swift law enforcement action.

Earlier this year, ZachXBT urged Coinbase to take urgent steps after revealing that social engineering attacks led to at least $65 million stolen from users between December 2024 and January 2025.

In June, he also exposed a New York based scammer known as “Daytwo,” who siphoned more than $4 million from Coinbase users, including a $240,000 theft from a senior citizen often routing funds through online gambling platforms.

Other major exchanges including Binance have faced similar impersonation campaigns in the past underscoring the industry wide nature of the threat.

To stay safe, users should remember that legitimate support staff will never request seed phrases, passwords, or ask to move conversations to third party apps like WhatsApp or Telegram. Remaining vigilant is the best defense against the next Canadian crypto scammer attempting to exploit trust in the crypto ecosystem.

12/30/2025
Fake game beta test drains 100,000 yuan from Singapore crypto entrepreneur’s wallets

A Singapore crypto entrepreneur lost more than 100k yuan after downloading what appeared to be a legitimate game beta test from Telegram, only to discover the software contained malware that drained his wallets within 24 hours.

The victim, Mark Koh, founder of crypto victim-support organization RektSurvivor, revealed the details in an interview with Chinese-language outlet Lianhe Zaobao and a LinkedIn post that has since drawn widespread attention across the Web3 community.

Game-Testing Scam Began on Telegram With a “Too-Polished” Pitch

Game-testing scam tactics often rely on urgency and exclusivity, and this case followed that exact blueprint.

According to Koh, the attack began on Dec. 5, when he came across a beta testing opportunity for an online game called MetaToy on Telegram.

Fake game beta test drains 100,000 yuan from Singapore crypto entrepreneur’s wallets

What made the Game-testing scam particularly convincing was its professional presentation.

The project featured a polished website, an active Discord server, and team members who responded promptly to questions.

“As someone who has invested in and evaluated multiple Web3 projects, nothing initially stood out as suspicious,” Koh said, explaining why his guard was down.

Malware Hidden Inside Game Launcher Triggered the Game-Testing Scam

The Game-testing scam escalated the moment Koh downloaded MetaToy’s game launcher. Unknown to him, the installer silently uploaded malware onto his computer—designed specifically to target browser-based crypto wallets.

Although Norton antivirus flagged suspicious activity, Koh attempted to contain the threat by running full system scans, removing malicious registries, and reinstalling Windows 11.

Despite those defensive measures, the damage was already irreversible.

Game-Testing Scam Drained Wallets Within 24 Hours

Within a single day, every software wallet connected to Koh’s Rabby and Phantom browser extensions had been emptied.

In total, the scam wiped out 14,189 USDT, worth roughly 100,000 yuan, representing crypto assets Koh had accumulated over eight years.

This attack appeared highly targeted, Koh warned, adding that angel investors, developers, and early-stage Web3 testers are especially vulnerable due to their frequent interaction with beta software.

Security Advice

Following the incident, Koh urged crypto users to rethink how they store sensitive wallet data.

He advised removing seed phrases from browser-based wallets when not actively in use and relying on private keys instead, reducing exposure across derivative wallets.

The fraud has since been reported to Singapore police, which confirmed to Lianhe Zaobao that a formal report has been received.

Game-Testing Scam Reflects a Wider Surge in Crypto Malware

The MetaToy Game-testing scam is not an isolated case. It arrives amid a broader surge in malware campaigns targeting crypto users worldwide.

In October, cybersecurity firm McAfee warned that hackers were abusing GitHub repositories to keep banking malware connected to fresh command-and-control servers.

This year has also seen fake AI tools, malicious Captchas, and compromised Ethereum code extensions used to distribute crypto-stealing malware—often masquerading as legitimate developer utilities.

From Game-Testing Scam to Phishing: Losses Are Mounting

Beyond malware, phishing attacks continue to devastate investors. In August, a crypto investor lost $3.05 million in USDT after unknowingly signing a malicious blockchain transaction, according to blockchain analytics platform Lookonchain.

The attacker exploited a common user habit: verifying only the first and last characters of a wallet address while ignoring the middle.

According to CertiK’s latest security report, crypto investors lost over $2.2 billion to hacks, scams, and breaches in the first half of 2025 alone.

Wallet compromises accounted for $1.7 billion across just 34 incidents, while phishing scams caused more than $410 million in losses across 132 attacks.

The MetaToy incident underscores a sobering reality: Game-testing scam operations are evolving faster than user defenses.

As attackers blend polished branding with weaponized software, even experienced crypto veterans are at risk.

In today’s threat landscape, skepticism—not excitement—may be the most valuable asset Web3 users can hold.

12/18/2025
Hackers compromise PancakeSwap Chinese account to push fake ‘Mr Pancake’ token scam

PancakeSwap’s Chinese X account (@PancakeSwapzh) was hacked to promote a fake meme coin called Mr Pancake, resulting in about $8,000 in user losses, the decentralized exchange confirmed Tuesday.

The decentralized exchange (DEX) confirmed it is “working closely with the X team to restore control” and has urged users to avoid engaging with any suspicious content from the compromised account.

The Chinese PancakeSwap X account breach comes amid rising social media hacks across major crypto networks. While the attack caused panic among traders initially, the platform emphasized that no core systems or smart contracts were affected.

Paradoxically, CAKE rose 12% to $4.34 in the hours following the breach disclosure, with 24-hour trading volume jumping 80%, according to CoinMarketCap. Analysts attribute the surge to opportunistic trading rather than fundamental sentiment.

Source: X [Formerly Twitter]

“Investor confidence remains relatively intact because users now distinguish between a social media compromise and an on-chain vulnerability,” said Shān Zhang, chief information security officer at SlowMist.

BNB Chain and PancakeSwap targeted in coordinated exploits

The Chinese PancakeSwap X account hack follows closely after the BNB Chain X account breach, which was used to distribute malicious reward links. Binance co-founder Changpeng Zhao (CZ) urged followers to “never click on unverified links” while confirming that investigations were underway.

In the PancakeSwap case, losses were limited roughly $8,000 in total with one victim reportedly losing $6,500 due to malicious posts shared from the Chinese PancakeSwap X account. Although the breach was contained quickly, security experts warn that the incident mirrors a broader pattern of phishing-style infiltration across the Web3 ecosystem.

The rise of meme coin hype on BNB-related platforms makes them perfect targets for cybercriminals, Zhang, SlowMist.

We’re seeing coordinated attempts to exploit large user bases through seemingly legitimate promotions on verified accounts.

According to SlowMist, many social media administrators within crypto firms maintain weak operational security often using unsecured personal devices or failing to enable multi-factor authentication. The firm urged all digital asset organizations to enforce strict credential management and provide cyber-awareness training to prevent future attacks.

AI tools intensify the wave of social media crypto scams

Experts say the Chinese PancakeSwap X account breach underscores a troubling trend: AI-powered fraud. Similar cases include Instagram compromises of celebrity and brand accounts such as Adele, Future, and FC Barcelona, which were used to promote fake Solana-based meme coins.

AI-driven scams are evolving faster than most platforms can respond, Slava Demchuk, CEO, AMLBot.

Attackers now automate social engineering, impersonate legitimate brands, and deploy bots to trick users at scale.

A recent Kaspersky report confirms that cybercriminals are leveraging large language models (LLMs) and AI-generated deepfakes to create near-perfect phishing campaigns. These include voice cloning, fake videos, and realistic social posts used to lure victims into connecting wallets or signing fraudulent transactions.

The report also reveals a pivot toward stealing immutable identifiers such as biometric data and voice signatures over passwords, signaling a dangerous evolution in phishing strategies.

Human error remains crypto’s biggest security flaw

The Chinese PancakeSwap X account compromise once again exposes how the human element remains the weakest link in cybersecurity chains. Even as blockchain networks achieve greater technical resilience, social engineering continues to bypass advanced systems by targeting staff directly.

Technology can’t fully protect against poor judgment, Alex Katz, CEO, Kerberus Cybersecurity.

From developers to social media teams, everyone in crypto must assume they’re a potential entry point.

Katz emphasizes that continuous security education is critical, especially for Web3 organizations operating across multilingual teams and regional markets like Asia. The Chinese PancakeSwap X account incident, he says, “should be a wake-up call that trust verification and credential compartmentalization are non-negotiable in crypto communications.”

Growing regulatory and industry responses

Authorities in multiple jurisdictions, including the UK’s National Cyber Security Centre and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued new guidelines urging firms to secure verified accounts with hardware-based authentication and automated breach monitoring tools.

In response, PancakeSwap has announced plans to implement stronger account access protocols, including hardware-based multi-factor authentication and enhanced internal training for administrators managing official pages.

Meanwhile, BNB Chain has reportedly rolled out an internal “PhishGuard” initiative to monitor for coordinated scam campaigns targeting its ecosystem on social platforms.

As the Chinese PancakeSwap X account is restored, experts agree the crypto industry must adapt faster to emerging threats, especially as AI-driven attacks blur the line between human trust and machine deception.

10/08/2025

Are you sure want to unlock this post?

Unlock left : 0

Are you sure want to cancel subscription?