The Blockspace Pod: How North Korean Hackers Stole $300M+ Via Telegram w/ Taylor Monahan

CoinDesk Podcast Network

CoinDesk

Business News, Daily News, News, Tech News

4.7 • 698 Ratings

🗓️ 31 January 2026

⏱️ 67 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

North Korean hackers with the Lazarus Group have stolen over $300 million with this Telegram phishing scam. Subscribe to the Blockspace newsletter! Welcome back to The Blockspace Podcast! Today, Taylor Monahan, a security lead at MetaMask, joins us to talk about a highly sophisticated $300M phishing attack linked to North Korea’s Lazarus Group. Taylor shares how the Lazarus Group hijacks Telegram accounts to lure victims into fake Zoom meetings and download a Trojan horse malware program. We break down the hackers’ strategy, how the malware works, which wallet types are most vulnerable to theft, and what users can do to protect themselves if they have fallen prey to the scam or not. Tune in to learn how to identify these red flags and implement better digital hygiene for your crypto assets. Check out this article for a deep dive into how the malware works; plus, follow Taylor for updates on X and keep track of Laars Group’s history of hacks via her Github. Subscribe to the newsletter! https://newsletter.blockspacemedia.com Notes: * Lazarus Group stole over $300M in the last year. * Attackers hijack Telegram accounts. * Scammers use fake Zoom links to deploy malware. * Malware often bypasses paid antivirus software. * Sandbox architecture on iOS offers more safety. * Software wallets and browser wallets are most vulnerable. * 2FA remains critical for sensitive account access. Timestamps: 00:00 Start 03:51 Telegram attack 11:30 2 Factor Authenticators 13:48 Losses 16:38 Calculating losses 19:08 North Korea 21:52 Malware 24:17 Malware detection 25:16 EDR 27:12 Wallets 34:21 Is verifying addresses enough? 39:28 Wallet malware design 44:11 What do they want? 54:16 Taylor stealing payloads 1:01:49 Steps to protect 👉CleanSpark, America's Bitcoin Miner! CleanSpark (Nasdaq: CLSK) is a market-leading data center developer with a proven track record of success. We own a portfolio of power, land, and data centers across the United States powered by globally competitive energy prices. Sitting at the intersection of Bitcoin, energy, operational excellence and capital stewardship, we optimize our infrastructure to deliver superior returns to our shareholders. Monetizing low-cost, high reliability energy by producing a global emerging critical resource – compute – positions us to prosper in an ever-changing world.

Transcript

Click on a timestamp to play from that location

0:00.0	It starts with a telegram account and it's the telegram account has been taken over by the threat actors.
0:06.7	It used to belong to like a real person like you.
0:09.4	When you get on the call, their scam version of Zoom will basically tell you that your audio device,
0:15.1	it can't hear you, your audio device isn't working, you need to do something.
0:18.7	And then the threat actor will also be in telegram being like, I can't hear you. Like, I see you, but I can't hear you. What's going on? They then prompt you to download an Apple script, usually, which just completely wrecks your computer with, like, the deepest malware. They're very helpful. These scammers are very helpful. They'll help you troubleshoot your issue. They held me troubleshoot a little bit too well because I, the, my Mac's permissions were
0:41.3	set up in such a way that the original link did not automatically download the malware.
0:45.8	So I had to run the script through terminal. I feel more on in retrospect, because that should
0:50.0	have been, you know, the alarm that's blowing off. But everything else up to that point,
0:54.2	it's like I have a chat history with this person. It's a friend and a former colleague.
0:59.0	There was the video of him. The video was weird because it's not like it's obviously not a
1:03.4	live feed. And you mentioned that they're not deep fakes. They're actually recorded videos.
1:07.6	It's also really freaking freaking terrifying. And the whole thing had a weird feel
1:12.3	about it, but I was up super early. I was also taking care of my daughter at the time. And so I just,
1:18.8	there were so many inputs I wasn't thinking about. And it just goes to show how freaking crazy
1:23.5	some of these fishing attacks have come. And this one is by far the most sophisticated I've ever
1:27.4	seen. Welcome back to the BlockspacePod brought to you by CleanSpark. The North Korean
1:34.0	hacking syndicate Lazarus Group has stolen more than $300 million in crypto in the last year alone
1:40.8	using a highly sophisticated fishing attack that targets users telegram accounts.
1:46.1	I was personally victimized by this fishing attack in December.
1:50.9	I didn't lose any coins as a result, but I did lose access to my nearly 10-year-old telegram
1:56.5	account as a result.
1:57.7	To diagnose this problem and explain how users can shield themselves against it,
	...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from CoinDesk, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of CoinDesk and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.