THORChain Co-Founder Loses $1.35 Million in North Korean Telegram Phishing Attack

The cryptocurrency community is reeling after THORChain co-founder JP lost $1.35 million from a personal wallet on September 9, 2025, falling victim to a sophisticated phishing attack linked to North Korean operatives. The incident, first reported by blockchain investigator ZachXBT on September 12, exposes the growing threat of state-sponsored cybercrime targeting even the most experienced figures in decentralized finance.

The attack began when a compromised Telegram account sent JP a convincing message designed to appear as a legitimate business inquiry. The threat actor, believed to be affiliated with North Korean hacking groups that have increasingly targeted the crypto sector throughout 2025, employed deepfake technology to enhance the credibility of their social engineering approach. JP, who had recently retrieved an old MetaMask wallet containing the funds, authorized a transaction that drained the entire balance within minutes.

The Exploit Mechanics

The attack vector represents a significant evolution in cryptocurrency-targeted social engineering. Rather than deploying malicious smart contracts or exploiting protocol vulnerabilities, the attackers focused entirely on human manipulation. They first gained access to a trusted contact’s Telegram account, then used that compromised identity to approach JP with what appeared to be a routine DeFi discussion. The deepfake elements made the interaction feel authentic, as the attacker could reference real conversations and shared contexts.

Once JP engaged, the attacker directed him to connect his wallet to a fraudulent interface. The malicious site, hosted on a domain designed to closely mimic a legitimate DeFi platform, prompted a wallet signature request. What appeared to be a standard token approval was actually a transaction granting the attacker full spending access to JP’s wallet. The $1.35 million in various cryptocurrencies was transferred out in a matter of minutes, moving through a series of intermediary wallets designed to obscure the trail.

Affected Systems

The primary system affected was JP’s personal MetaMask wallet, which contained a mix of ETH and ERC-20 tokens. While THORChain’s protocol itself was not compromised, the incident highlights how individual wallet security remains the weakest link in the decentralized finance ecosystem. The attack leveraged off-chain communication channels, specifically Telegram, which has become the primary target for crypto-focused phishing campaigns in 2025.

North Korean hacking groups, including the notorious Lazarus Group, have been linked to over $1.5 billion in cryptocurrency thefts in 2025 alone. Their tactics have shifted from exchange breaches toward targeted phishing of high-net-worth individuals and project founders. The use of deepfake technology represents a troubling escalation, as it allows attackers to impersonate known contacts with a high degree of accuracy.

The Mitigation Strategy

Security researchers recommend several immediate measures for high-value wallet holders. Hardware wallets should be the default for storing significant amounts of cryptocurrency, as they require physical confirmation of transactions and are immune to the type of blind signing that led to JP’s loss. Multi-signature wallets add an additional layer of protection by requiring multiple approvals before funds can move.

For DeFi founders and public figures, limiting the amount of cryptocurrency held in hot wallets connected to messaging platforms is essential. Establishing verified communication protocols, such as confirming transaction requests through a secondary channel before signing, can prevent even the most convincing phishing attempts from succeeding.

Lessons Learned

The THORChain incident serves as a stark reminder that technical expertise does not confer immunity to social engineering attacks. JP, as a co-founder of one of the most technically sophisticated cross-chain protocols in the space, was targeted precisely because his public profile made him identifiable as a high-value target. The attack’s success demonstrates that the human element remains the most exploitable vulnerability in cryptocurrency security.

The speed at which the funds were moved underscores the irreversible nature of blockchain transactions. Unlike traditional banking, where fraudulent transfers can sometimes be reversed, cryptocurrency transactions are final once confirmed. This makes prevention, rather than recovery, the only viable strategy.

User Action Required

All cryptocurrency users should take this incident as a catalyst to review their security practices. Migrate funds from hot wallets to hardware wallets, enable all available security features on messaging accounts, and never sign transactions prompted through unsolicited messages. Project founders should consider employing dedicated security personnel to manage communication verification protocols. As North Korean hacking groups continue to refine their tactics, the crypto community must match that sophistication with equally advanced defensive measures.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making security decisions.