North Korean hackers have once again targeted the cryptocurrency industry, this time executing a sophisticated attack on THORChain co-founder, JP Thor, resulting in a loss of approximately $1.3 million. The attack, which was detailed in a recent alert from blockchain security firm PeckShield, involved a series of deceptive tactics used by the cyber attackers.
JP Thor fell victim to the hackers after receiving a Zoom call invitation from a friend whose Telegram account had been compromised. During the call, he encountered a convincing deepfake video of his friend, unknowingly triggering a malicious script that allowed the attackers to access his files. The script began copying his iCloud documents folder to a temporary directory, enabling the hackers to access sensitive data without raising suspicion.
The attackers targeted Thor’s MetaMask wallet, which was linked to an inactive Chrome user profile and stored in his iCloud Keychain. Utilizing an undisclosed zero-day exploit, the hackers were able to extract the wallet keys and drain the funds without triggering any pop-up warnings or requests for admin access.
In response to the theft, the THORChain team has offered a bounty for the return of the stolen assets. A blockchain message tied to the hacked wallet promises no legal action if the stolen funds are returned within 72 hours.
This incident is part of a growing trend where North Korean-linked cyber groups are employing advanced tactics such as deepfakes, social engineering, and malware to target high-value crypto individuals and institutions. Earlier this year, multiple crypto executives were similarly targeted through deepfake impersonations during video calls, resulting in significant financial losses.
The escalating attacks by North Korean cyber groups have resulted in billions of dollars in theft across the crypto space in 2025. These attacks have evolved beyond traditional exchange hacks to include fake job offers, identity fraud, and infiltration of developer networks. The $1.5 billion theft from Bybit in February, attributed to North Korea by TRM and law enforcement, stands out as one of the largest incidents contributing to the $2.17 billion in service losses reported this year in crypto theft.
As the industry grapples with the increasing sophistication of cyber attacks, experts emphasize the importance of approaching video verification with caution, as AI deepfakes have made it challenging to rely on visual or auditory cues as trust markers. Vigilance and robust security measures are crucial in safeguarding against such malicious activities in the crypto space.