Using the SlowMist BTI intelligence network, SlowMist has monitored the North Korean cyber organization Lazarus since 2022. A disturbing Telegram phishing effort targeting cryptocurrency is underway. Their techniques now include imitating trustworthy financial firms to conduct phishing operations targeting crypto project teams, which is much more concerning. Instead of randomly impersonating renowned investment institutions, North Korean hackers are selective. Once chosen, they create Telegram accounts in these prestigious organizations’ names. This intricate plan seeks to win over unknowing targets.
North Korean Hackers Exploit Group-meeting team for Cyberattacks
These phony accounts allow hackers to target prominent Decentralized Finance (DeFi) project teams. They engage project teams as potential investors from chosen investment institutions.
To boost their credibility, they try to persuade teams to download a script as a prerequisite for meeting planning. Project teams with strong security awareness realize the risks of downloading arbitrary scripts. Due to skilled and convincing mimicry, non-security experts may fall for these frauds.
After building trust with the project team, North Korean hackers arrange and coordinate meetings. They use two attack methods:
First, Group-meeting.team meetings are enticing the project team. This scheme’s perpetrators pretend to be interested in meeting or discussing with the team but share a destructive meeting link. After clicking the link, the project team faces a region access limitation. North Korean hackers trick the crew into downloading and running a location-changing script. The hackers steal funds once the project team agrees to give them control of their computers.
Second, Hackers use Calendly’s “Add Custom Link” feature on event pages to insert malicious URLs and phishing. Calendly’s seamless integration with most project teams’ workflows makes it hard to spot these dangerous relationships. Project teams may accidentally click on these URLs and download and run hazardous apps.
SlowMist Urges Caution Amid Persistent Phishing Threats
SlowMist security advises Web3 users to be cautious due to these phishing scams’ persistence. Before accepting new connections, carefully confirm their identity through many techniques. Telegram 2FA increases account security. Be vigilant to avoid transaction security-related financial losses.
In the event of a malware infestation, disconnect from the internet and run a virus scan. You must immediately replace passwords for any relevant accounts on the hacked machine, including web browsers. If the compromised computer has digital wallets, transfer the funds immediately to a secure place.