Introduction Last week, a GK8 executive was targeted in a highly sophisticated social engineering attack. Impersonating an acquaintance of the exec on Telegram, the attackers lured him onto a fake Zoom call that looked like the real thing. “It was shockingly realistic,” our colleague later told our research team. “You think you’re too experienced to fall for something like this, but when it’s that well-prepared, anyone can be caught off-guard.” His reaction underscores just how convincing these operations have become and how even the most seasoned professionals can be manipulated in the right circumstances. This incident confirms the findings of a research paper we recently published: “Bespoke Cybertheft: How Threat Actors Are Targeting U.S. Crypto Firms and Executives.” In that report, GK8 researchers revealed how threat actors are actively recruiting skilled voice-based social engineering operatives to conduct highly targeted attacks on senior crypto executives. These operations are no longer ad hoc but meticulously planned campaigns, supported by curated datasets of personal information and specialized human talent. The overlap between our real-world experience and our research findings points to a new era of cybercrime, where human manipulation is as central to the attack as any technical exploit. Let’s walk step by step through what happened in this unsuccessful attack and review why it’s a wake-up call for the crypto industry. Step-by-Step Breakdown of the Attack Step 1. The Unexpected Invite Our colleague received a Telegram message from what appeared to be a familiar business contact. The account wasn’t random — it had a real history of conversations from about a year earlier, which made it look legitimate. The message started casually, “long time no speak,” and said the contact had changed jobs and that she had a new opportunity to discuss with us. Our executive knew that this person had, in fact, changed jobs, so the story seemed credible. The conversation then moved quickly to a Calendly invite and what appeared to be a Zoom link for a routine client meeting. Step 2. An Odd “Meeting Room” Upon joining the Zoom session, our GK8 colleague immediately noticed slight differences in the interface from the standard Zoom version, which was the first red flag. There were three participants already in the room. This, in itself, wasn’t unusual. But their video feeds were blurred, as if the cameras weren’t working properly. Only one person spoke. She never introduced herself, yet her fluent, American-accented English gave the call an initial sense of authenticity. Step 3. The Fake “Audio Issue” Just moments into the call, the participants told our colleague there was a problem with his audio. On his screen, the audio and video icons lit up red, creating the impression that something was broken.They then offered a “solution” and pushed him to install an “update” or “patch,” which was, of course, the trap. Step 4. Turning the Tables Instead of following their instructions, our colleague, alert and aware that these requests were a red flag, suggested switching to a new Zoom link that he generated himself. The representatives of our “potential client” quickly refused to move the call, claiming they got an error message when trying to join the new Zoom. Our colleague then proposed moving to Google Meet, but they dismissed that too. By then, it was obvious: this was no real client call, but a setup. Step 5. The Disappearing Act As soon as they realized our colleague would not download anything, the participants vanished from the call, and the entire Telegram chat was instantly wiped. He then reached out via LinkedIn to his business contact, who confirmed what was already clear – her Telegram account had been compromised. Other Scams Use Similar Tactics Our colleague’s experience is just one example among many. Mehdi Farooq, an investment partner at crypto venture capital firm Hypersphere, lost six wallets and years of savings after falling victim to a fake Zoom call phishing attack. The attackers impersonated a known contact and persuaded him to install malware under the guise of a Zoom update, leading to the compromise of his system and the theft of his assets. Jake Gallen, CEO of Emblem Vault, lost over $100,000 in digital assets after falling victim to a Zoom-based attack. The attackers impersonated media representatives to lure him into a genuine Zoom call, during which they exploited Zoom’s remote control feature to install malware on his system. Once the malware was installed, they accessed his cryptocurrency wallets and drained the funds. Beyond North Korea: Social Engineering Goes Global Many media reports and research studies have linked these highly targeted social engineering attacks against crypto executives to threat actors affiliated with North Korea. However, our research team found that this trend extends far beyond any single nation-state.On closed, invitation-only dark web forums, we observe threat actors openly discussing, advertising, and seeking out these methods of attack. These discussions take place in multiple languages, including English and Russian, indicating broad and international adoption of sophisticated voice- and video-based social engineering techniques. A threat actor shops for Zoom phishing malware and finds a willing vendor. Another threat actor seeks Zoom phishing malware similar to what was tried on the GK8 exec. In a thread discussing ways to send malware to victims without drawing attention, a threat actor advises (translated from Russian) Clearly, while North Korean actors are prominent in high-profile cases, the tactics have become widely known and are now employed by a variety of cybercriminal groups and individuals globally. Organizations must therefore assume that any executive or high-value employee could be a potential target. Lessons from a Near-Miss Zoom Attack Even the most experienced professionals can be caught off guard when a scam is crafted carefully. Here’s what our recent incident shows about defending against highly targeted social engineering: Verify meeting platforms and participants If something feels off – an unfamiliar UI, blurred video feeds, unexpected requests, or unusual prompts – pause. Don’t follow instructions to install updates or patches within the call. Trust your instincts and turn the tables Our colleague avoided the trap by suggesting alternative Zoom and Google Meet links. When contacts refuse to switch and make excuses, it’s a strong signal that something is wrong. Train your human firewall Social engineering exploits human trust. Regular training and simulations of live-call impersonation, voice phishing, and fake meeting tactics make employees far less likely to fall for these tricks. Enforce multiple checks for critical actions Even if the attackers had succeeded in breaching the initial communication, their next move would almost certainly have been to try to access one of our wallets. But with our uMPC (unlimited multi-party computation) patented algorithm, one duped user would never be enough. This demonstrates why enforcing multiple layers of checks for critical actions is non-negotiable. High-stakes decisions should never rely on a single individual. Structured verification steps and multi-party approvals ensure that attackers cannot exploit urgency, trust, or social engineering to push through harmful actions. Be cautious with downloads during virtual meetings Any unexpected file or update request during a video call should raise red flags, especially if someone claims it’s urgent or pressures you to do it. Cybercriminals exploit the mental load professionals face: unscheduled calls, multiple simultaneous requests, and the instinct to respond quickly. Keep sensitive operations offline whenever possible Whether it’s digital assets or internal tools, minimize what’s exposed in active systems. Always-offline storage solutions, like GK8’s Impenetrable Vault, and multi-party computation solutions, such as our Unlimited MPC, help reduce risk by making it much harder for a single compromised account to move assets or cause a major breach. Stay informed on emerging threats Share real-world examples like this one. Knowing the tactics attackers use – blurred Zoom participants, fake “audio issues,” or patch instructions – helps teams recognize and avoid them. Even when a call seems professional and the setup is convincing, vigilance, verification, and quick thinking make all the difference. We’ll continue to share insights into the evolving tactics and practices threat actors use to target executives and high-value individuals, including trends in real-life calls. Stay tuned for more real-world examples and practical guidance to keep your organization ahead of these sophisticated attacks. Disclosures:This document has been prepared by GK8, a Galaxy company, solely for informational purposes. It does not constitute an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options, digital assets, or other financial instruments, nor does it constitute investment, legal, or tax advice. Any statements or views expressed herein reflect current observations regarding cybersecurity trends and custody architecture and do not guarantee protection against unauthorized access, fraud, or asset loss. References to specific custody models (including MPC and Vault architecture) are illustrative and should not be interpreted as guarantees of performance or security. Certain information contained in this report, including observations on threat actor tactics and forum activity, has been derived from third-party sources. GK8 and Galaxy Digital Holdings LP do not independently verify such data and make no representations as to its accuracy or completeness. Galaxy Digital and its affiliates may have financial interests in, or provide services to, entities and protocols discussed in this report. The views expressed are those of the authors and do not necessarily reflect those of Galaxy Digital, GK8, or their affiliates. © Copyright Galaxy Digital Holdings LP 2025. All rights reserved.