$1.35M Drained in THORChain Co-Founder Scam: Deepfakes, Telegram Hacks, and DPRK Links
A sophisticated scam has cost a THORChain co-founder $1.35 million after attackers combined a hacked Telegram account, a convincing deepfake video call, and what may have been a zero-day exploit to steal keys from an old MetaMask wallet.
How the Attack Played Out
On September 9, JP, one of THORChain’s co-founders, lost access to funds from a forgotten MetaMask account. The attackers initially hijacked a friend’s Telegram account and used it to invite him to a Zoom meeting.
During the call, a deepfake video added credibility. JP clicked on a link but didn’t see any pop-ups or suspicious prompts. He suspects the attackers leveraged access to his encrypted iCloud Keychain or a secondary Chrome profile on his Mac, where his wallet data was stored.
According to his own account, no administrator password requests or installation prompts appeared, suggesting the use of a zero-day exploit.
Forgotten Wallet, Hidden Assets
The stolen funds came from an old MetaMask wallet JP had staked assets in—tokens that don’t appear on Etherscan unless tracked through portfolio tools. This made the account easy to overlook until it was too late.
Following the theft, blockchain trackers identified an on-chain message sent to the exploiter’s wallet. The note offered a bounty for returning the stolen THOR tokens within 72 hours, promising no legal action if the attacker complied and provided contact details for THORSwap’s team.
Investigators Confirm the Breach
Blockchain investigators confirmed that approximately $1.2 million to $1.35 million was drained from JP’s account. The breach was first reported by on-chain monitoring services, which flagged suspicious transfers tied to the compromised wallet.
Notably, critics highlighted that THORChain itself had previously profited from the laundering of assets connected to DPRK-backed hacks on platforms like Bybit—making this incident appear ironically fitting given the suspected North Korean ties.
Lessons and Warnings
Reflecting on the attack, JP stressed several lessons:
-
Private keys become riskier over time – avoid long-term storage in iCloud, Google Drive, or similar services.
-
Use independent two-factor authentication, ideally on a burner device.
-
Adopt threshold signature wallets like Vultisig, which split key shares across multiple devices for added protection.
He warned: “Attacks are only going to escalate. Solutions exist—we just need to upgrade our wallets.”
A Bigger Picture: Telegram Scams Exploding
This case is part of a broader crisis. By mid-2025, crypto investors had lost $2.2 billion, with wallet breaches and scams making up the bulk of incidents. Crystal Intelligence estimates that over the past 14 years, hacks and breaches have stolen $22.7 billion in total.
Scam Sniffer recently reported that malware scams on Telegram have surged by 2,000% since November, surpassing traditional phishing campaigns. Fraudsters distribute malicious code through fake verification bots in airdrop, trading, and alpha groups—harvesting passwords, private keys, and wallet data once executed.
The UN has previously estimated that scams, laundering operations, and stolen data sales on Telegram generate more than $36.5 billion annually, much of it via USDT.
Meanwhile, cybercriminals continue to promote deepfake tools and malware, with the U.S. Treasury linking Huione Group to $98 billion in illicit crypto flows, some tied directly to North Korea’s Lazarus Group.
