Journalist
Hassan Shittu
Journalist
Hassan Shittu
Share
THORChain co-founder JP lost $1.35 million from a personal wallet on Sept. 9 after falling victim to a Telegram phishing scam linked to North Korea. The attack combined a hacked Telegram account, a deepfake Zoom call, and what he believes was a zero-day exploit.
His loss joins the list of recent high-profile losses in the crypto space. Last month, billionaire heiress Taylor Thomson lost over $80 million in crypto after investments tied to a psychic. Similarly, earlier this month, a crypto investor lost $3.05M after signing a malicious transaction.
$1.2M THORChain Wallet Drained in Telegram Deepfake Scam, Investigators Confirm
Blockchain investigator ZachXBT confirmed the incident, stating that JP’s wallet was drained after he joined a fake meeting link shared through Telegram. PeckShieldAlert had earlier reported the breach, reporting that approximately $1.2 million had been stolen from a THORChain user’s wallet.
Unravelling the stolen funds, JP explained in a post on X that the funds were tied to an old MetaMask account he had forgotten. The wallet contained staked assets that did not appear on Etherscan, making it easy to overlook.
JP also explained that the scam began when a friend’s Telegram account was hacked. The attackers invited him to a Zoom call, where a deepfake video was used to increase credibility. JP clicked a link during the call but saw no suspicious prompts or requests for credentials.
He believes the attackers may have accessed his encrypted iCloud Keychain or a separate Chrome profile on his Mac, where MetaMask keys were stored. “There was no request for admin passwords or installation,” JP wrote. “It has to be an active or recently patched 0-day.”
In a bid to recover the stolen funds, on-chain data flagged by Lookonchain showed a new message sent to the exploiter’s wallet. The message, recorded on Etherscan, offered a bounty if the stolen THOR tokens were returned within 72 hours, promising “no legal action” if the hacker complied and provided contact details for the THORSwap team.
Notably, ZachXBT noted that THORChain and its co-founder had previously profited from the laundering of funds tied to DPRK exploits, including hacks on exchanges like Bybit. “It’s a bit poetic he got rekt here by DPRK,” ZachXBT said.
Highlighting the lessons learned from the experience, JP emphasized that private keys grow riskier the longer they are stored, urging users not to back them up on iCloud, Google Drive, or similar services. He also recommended using two-factor authentication on a separate device, such as a burner phone, to reduce exposure.
He added that threshold signature wallets like Vultisig, which split key shares across multiple devices, represent the next stage of crypto security. “Attacks are going to only get worse,” JP said. “It can be solved; we just need to upgrade our wallets.”
Telegram Scams Surge: $2.2B Lost in 2025 as Malware Attacks Overtake Phishing
By the end of June this year, crypto investors had lost $2.2B, mostly from wallet breaches and scams. Crystal Intelligence confirmed that over 1,000 hacks, scams, and DeFi breaches have stolen $22.7B in crypto across 14 years of tracked incidents.
Specifically, Scam Sniffer reported that crypto scammers are targeting Telegram, where malware scams have surged 2,000% since November and overtaken traditional phishing. Attackers spread malware through bogus verification bots in trading, airdrop, and alpha groups, allowing them to steal passwords, private keys, and wallet data once users execute malicious code.
Noting the abundance of hacks on Telegram, last year, the United Nations estimated scams, money laundering, and stolen data sales on Telegram generated more than $36.5 billion annually, often through USDT.
Criminals also promote deepfake tools and malware, with the U.S. Treasury linking Huione Group to $98 billion in illicit crypto flows tied partly to North Korea’s Lazarus Group.
To curb this, Telegram shut down Huione Guarantee in May 2025, but rival Tudou Guarantee quickly absorbed its users and drove a 400% surge in activity.
Similarly, Telegram shut down thousands of channels tied to Xinbi and Huione Guarantee, which processed over $35 billion in illicit USDT transactions, Elliptic reported. The platforms used encrypted groups to sell money laundering, stolen data, and fake IDs, with Huione linked to Cambodia’s ruling elite.
