The Silent Ambush: How the Fake Video Call Scam from North Korea Compromises Crypto Wallets

An international scam scheme based on fake video calls continues to wreak havoc in the cryptocurrency community. According to reports from SEAL Security Alliance, multiple daily attempts of this criminal modality are recorded, which has already caused losses exceeding $300 million. The sophistication of the attack lies in its ability to mimic within seemingly legitimate platforms, turning a fake call into an entry point for digital asset theft.

How the Cycle Begins: Contact via Telegram

The attack starts in an apparently harmless way. The criminals compromise Telegram accounts and use them to contact cryptocurrency users with a credible pretext. The initial message may come from an account the victim recognizes, creating a false sense of trust.

According to analysis by Taylor Monahan, a cryptocurrency security expert, the conversation quickly shifts to a fake video conference call. The attackers share links that are meticulously designed to appear authentic. “Usually, these links are disguised to look legitimate,” explains Monahan, highlighting that during the video call, the user can see the contacting person and even some of their colleagues, which reinforces the illusion of legitimacy.

The Main Mechanism: The “Patch” File that Distributes Malware

Once the fake call is established, the attackers simulate technical issues with audio or connectivity. This is the crucial point of the scheme. They offer a solution by prompting the download of a file identified as a “security patch” or software update.

Opening this file completely compromises the victim’s device. The insidious part of the attack is that after infection, cybercriminals end the conversation and act with extreme caution. “Unfortunately, at that moment, your computer is already compromised,” comments Monahan. “They just stay calm to avoid raising suspicion.”

The installed malware is not limited to a single target. It has the capacity to:

• Access and steal cryptocurrency wallets
• Capture passwords and private keys
• Take control of Telegram accounts
• Monitor transactions and financial movements

The Expansion of the Fraud: When Your Compromised Telegram Becomes a Weapon

Controlling the Telegram account is the mechanism that perpetuates this criminal cycle. Once they gain access, the attackers use your contact list as a gold mine for new victims. Each stored contact receives the same initial message, creating a cascading effect that exponentially expands the reach of the scam.

Monahan was direct in her warning: “Then you’re going to ruin all your friends.” This chain of contagion potentially compromises dozens of people in your contact network.

Line of Defense: Immediate Steps if You Clicked on a Suspicious Link

If there is suspicion that the device has been infected, the window of time to act is critical. Experts recommend:

First step - Immediate isolation:
Disconnect from WiFi and turn off the device immediately. This isolation prevents malware from communicating with remote servers or spreading to other devices on the network.

Second step - Mobilize from another device:
Use an uncompromised device to transfer crypto funds to secure wallets, change all passwords, and activate two-factor authentication on all possible platforms.

Third step - Device cleanup:
Perform a full memory wipe and reinstall the operating system before using the infected device again.

Fourth step - Protect your Telegram (critically): Access the device session settings in Telegram, review all active sessions, terminate any unrecognized sessions, and update authentication mechanisms. This protection is especially important because it is the link that attackers use to continue spreading the scheme.

What You Need to Know About This Threat

Reports of deepfake videos generated by artificial intelligence have circulated widely, but researchers clarify that in many cases, it is not synthesized content but real recordings of previous sessions where other users were hacked or from public sources like podcasts. This clarification does not diminish the threat but underscores how compromised some users’ networks are.

The sophistication of this fraud, which combines social engineering with advanced malware, makes it one of the most dangerous threats for cryptocurrency holders. The constant vigilance of SEAL Security Alliance, recording multiple daily attempts, indicates that this is not an isolated phenomenon but a systematic and coordinated attack.