In January 2026, Martin Kuchar, one of the organizers of BTC Prague, received a message on Telegram. A familiar contact, a compromised account, a familiar context – an invitation to jump on a call. The link led to a page visually identical to Zoom. What followed was the standard script: audio issues, a prompt to install an update. That was all it took.
This is not phishing in the classical sense. There is no suspicious email with typos and a strange sender address. This is a trust management operation – and that is precisely why it works even on experienced participants in the crypto market.
According to the FBI, in 2025 American users filed 181,565 complaints related to cryptocurrency fraud. The average loss per complaint was $62,604. Total losses from investment scams reached $7.23 billion out of $11.36 billion in documented crypto fraud for the year.
Impersonation attacks specifically saw growth of more than 1,400% year-on-year in 2025. The average payment made by a victim increased from $782 in 2024 to $2,764 in 2025.
A significant portion of these attacks can be traced to a single structure: Lazarus Group and its affiliated North Korean intelligence units. According to FBI and Mandiant data, in 2025 they stole $2.02 billion in cryptocurrency – a 51% increase over the previous year. The Bybit attack in February 2025 – $1.5 billion in a single operation – was attributed directly to them by the FBI.
The operation begins long before any call takes place. Attackers reach the target through Telegram, LinkedIn, email, or X. A pseudo-recruiter offers a Web3 position paying $16,000 to $44,000 per month. An ‘investor’ wants to discuss a deal. A ‘partner’ wants to connect. Everything looks like a routine business contact – because in the crypto industry, strangers genuinely reach out to each other every day.
The next step is the meeting link. The victim sees a convincing imitation: a Zoom waiting room with audio cues from other participants, a Google Meet page with a correct interface. Domains are purpose-built: uswebzoomus[.]com, googlemeetinterview[.]click, 9ooggleactivemeett[.]live. According to Netcraft and Malwarebytes, operators prepare backup domains across multiple hosting providers in advance – anticipating inevitable takedowns.
On the fake meeting page, an error message appears: microphone issue, client update required, extension needs to be installed. The victim is asked to paste a command into the terminal, download an installer, or run a script. This moment is deliberately designed to look like routine technical troubleshooting. That is exactly why it works.
After installation, attackers gain full access: keystroke logging, clipboard monitoring, real-time screenshots, browser data, and wallet extension data – MetaMask, Trust Wallet, Phantom, and others. On macOS, iCloud Keychain. Any seed phrase or private key that was ever typed or copied on the device should be considered compromised.
One of the most technically sophisticated elements is what Kaspersky GReAT documented as GhostCall. Attackers record video from the webcams of previous victims without their knowledge. During a call with the next target, they play back this footage – the victim sees a live video stream of a real person from their professional network.
This is not a deepfake in the technical sense. It is a recording of a real person the victim likely knows. The attacker remains ‘with audio issues’ and communicates only via text chat. Psychologically, it is a near-perfect trap: you see a familiar face, hear a familiar voice in the recording, and have no basis for suspicion.
Immediately after compromising a device, attackers gain access to the victim’s Telegram contacts and use the account to send the same link to the next wave of potential targets. The attack propagates through trusted professional networks with no external indicators.
Lazarus Group, BlueNoroff, UNC1069, TraderTraitor, Famous Chollima – these are all names for sub-units of a single operation run by the Reconnaissance General Bureau of North Korea. Attributed by the FBI, Mandiant, and Kaspersky. Since 2021, the primary focus has been Web3.
Active campaigns documented in 2025-2026: Contagious Interview – fake recruiting interviews with a ClickFix payload at the end. According to SentinelLABS, at least 230 people were affected in just Q1 2025, with the real figure likely higher. GhostCall – fake Zoom calls targeting Web3 executives and venture investors. Mach-O Man – attacks through compromised Telegram accounts targeting C-suite in crypto and fintech.
The Drift Protocol case warrants special attention. Lazarus spent six months on infiltration: meeting the team in person at conferences across multiple countries, depositing $1 million in real capital to establish credibility. The drain of $286 million took 12 minutes. This is not a scam – it is a state-level operation with a budget and a planning horizon.
According to Mandiant and Google Threat Intelligence Group, unit UNC1069 has been officially documented using Google Gemini for operational research, generating personalized lure content targeting specific victims, and writing code. Attack automation at the level of a state actor.
The conventional advice to ‘not click suspicious links’ is useless in this context. The link looks like Zoom. The domain is visually identical to the real one. The person on the video stream is someone the victim actually knows. The installer is signed with a valid digital certificate – stolen from a legitimate company. The antivirus stays silent, because some attackers are not deploying custom malware at all, but repurposed commercial enterprise monitoring software.
“We encounter this attack pattern in investigations regularly. The fundamental difference from classical phishing is that there is no technical exploit. On-chain, the transaction looks entirely legitimate – authorized by the wallet owner. This is precisely why a proper investigation requires not only on-chain tracing but off-chain event reconstruction: the attack timeline, identification of the entry vector, device analysis. Neither is sufficient without the other when it comes to working with law enforcement.”
This is a fundamentally different category of threat: a trust management operation, not a technical exploit. Defense needs to be operational – not only technical.
For individual holders and investors, a hardware wallet remains the only reliable barrier even in the event of full device compromise. A seed phrase that never existed on a computer cannot be stolen through malware. A dedicated device used exclusively for crypto operations – with no browsing, calls, or file downloads – is not paranoia. It is operational hygiene.
The most important single measure: verify through an alternative channel before any unexpected call. If a ‘partner’ messages you on Telegram – call them on the phone number from your address book, not through Telegram. If a ‘recruiter’ sends a Meet link – find the company through Google and contact them directly. One additional verification step closes the majority of attack scenarios.
For companies and teams: isolate corporate wallets from working devices, use multisig with split keys for significant assets, prohibit installation of any ‘meeting software’ outside an approved list. All client updates must come from official websites directly – never through a link in a chat. Regular team briefings with concrete examples of current schemes – not as a compliance formality, but as real preparation.
An underestimated organizational measure: if someone in your team or professional network has been compromised, notify all of their contacts immediately. GhostCall-style attacks propagate through trusted networks instantly, and the speed of notification directly affects how many people become the next victims.
The Bybit drain took a few hours. Drift Protocol – 12 minutes. Once funds leave the primary wallet, every minute narrows the window for a freeze.
The typical movement pattern for stolen funds in Lazarus operations: immediate withdrawal to intermediate addresses, swaps through DEXs to break the direct on-chain connection, bridging to another network, fragmentation across dozens of intermediate addresses, final withdrawal through OTC operators with weak KYC requirements or conversion to Monero.
Blockchain forensics in these cases enables address attribution through on-chain behavioral patterns, tracing fund movements through bridges and swaps, labeling destination addresses, and sending freeze notifications to exchanges before final withdrawal. It also supports structuring on-chain data for law enforcement requests and legal proceedings. One important limitation to understand: if funds have already been withdrawn through small, unlabeled exchangers, options narrow significantly. This is why speed of response in the first hours is decisive.
If an incident has already occurred, do not spend time on self-analysis. Contact professional firms specializing in cryptocurrency theft investigation and asset recovery.
