Mehdi Farooq, a former executive at Animoca Brands and current investment partner at Hypersphere, has revealed he lost a significant portion of his life savings in a sophisticated phishing attack traced back to the North Korean hacking group Lazarus.
In a post shared on X (formerly Twitter) on Thursday, Farooq recounted how the attack unfolded. It began when he received a message via Telegram from someone he believed to be Alex Lin, a professional acquaintance. Lin suggested they catch up, and Farooq responded by sharing his Calendly link to schedule a meeting.
The following day, shortly before the scheduled call, “Lin” messaged again requesting to switch to Zoom Business, citing compliance reasons and mentioning that a mutual connection named Kent would also be joining.
The Zoom call appeared legitimate, with both other participants on video—though no audio. In the chat, they claimed to be experiencing technical issues and urged Farooq to update his Zoom client. Moments after he downloaded and installed the supposed update, six of his cryptocurrency wallets were drained.
Only later did Farooq realize Lin’s account had been compromised. The phishing scheme was ultimately linked to Lazarus, a notorious North Korean state-sponsored hacking group known for targeting crypto industry figures.
“It was surreal and completely violating. But in the darkest moment, whitehat hackers stepped up — complete strangers offering help when I was at my lowest. Turns out I was compromised by DPRK affiliated threat know as dangrouspassword.”
The phishing attack that drained former Animoca executive Mehdi Farooq’s crypto wallets closely mirrors a recent attempt on Manta Network co-founder Kenny Li, who narrowly escaped a similar outcome. Li shared that attackers impersonated familiar contacts during a Zoom call, used deepfake-style video feeds, and pushed for a suspicious Zoom update. Sensing something was off, Li suggested switching to a different communication platform — prompting the attackers to abruptly block him and delete all messages.
According to security analysts, this method — where hackers impersonate trusted individuals, simulate technical issues, and distribute malware disguised as Zoom updates — is a signature tactic of the North Korean state-sponsored Lazarus Group. The technique has been used multiple times to steal millions in cryptocurrency.
The threat is not isolated. Founders from Mon Protocol, Stably, and Devdock AI have all reported facing similar phishing schemes, underscoring the increasingly targeted and widespread nature of these attacks within the crypto industry.
Security researcher Nick Bax of the Security Alliance analyzed this growing threat in a detailed post on X dated March 11.
