A co-founder of THORChain had roughly $1.35 million taken from a forgotten MetaMask wallet after attackers used a hacked Telegram account and a fake Zoom meeting to gain access to his stored keys, according to reports. The theft was first flagged on-chain and later confirmed by multiple news outlets and investigators.
THORChain: Multi-Stage Scam
Based on reports, the scheme began when an associate’s Telegram was compromised and a malicious meeting link was circulated. The target joined what appeared to be a legitimate video call, but the feed was fake.
Attackers then exploited access to the victim’s iCloud Keychain and browser profile to extract private keys tied to an old wallet, which was drained of about $1.35 million in crypto.
$1.35M was stolen from a Thorchain cofounder. Yet another reminder: if your keys are stored in a software wallet, you’re only one malicious code execution away from losing everything.
In this case, the victim didn’t even sign a malicious transaction, the malware simply stole the… pic.twitter.com/nLS4nWNFyt
— Charles Guillemet (@P3b7_) September 12, 2025
Investigators And On-Chain Sleuths Chime In
Blockchain investigators quickly traced movements and posted findings on social platforms, with some early on-chain sleuths estimating the visible value at roughly $1.2 million before later reports put the total near $1.35 million.
Analysts flagged links to North Korea–connected actors based on patterns and prior behavior, though attribution in such cases can be complex and takes time to confirm.
#PeckShieldAlert A @thorchain user’s personal wallet was exploited, resulting in a loss of ~$1.2M pic.twitter.com/R385BRHoHu
— PeckShieldAlert (@PeckShieldAlert) September 12, 2025
Security Community Issues Warning
Leaders in the crypto security scene warned the industry to treat remote meeting links and sudden file requests with deep caution.
A senior wallet developer highlighted that storing private keys in software that syncs to cloud services makes a user vulnerable if those cloud accounts are accessed by malware or other exploits. That warning was echoed across developer and security feeds after the theft was disclosed.
THORSwap Offers Bounty To Recover Funds
Reports have disclosed that a related project put up a reward to help recover the stolen funds, and community members began tracking transactions to identify where the assets moved.
Public appeals and bounties have become a common community response when large sums are siphoned off and on-chain tracing points to identifiable wallets.
Wider Pattern Of Deepfake And Zoom Scams
This incident is part of a growing string of attacks that use fake video calls and impersonation to trick targets into running malicious code or revealing credentials.
Major cases elsewhere have cost victims millions, including an earlier story in which deepfakes and fake calls led to a multi-million loss at a corporate level.
Security researchers say criminals are now combining social engineering with AI tools to make scams more convincing.
Featured image from IT Security Guru, chart from TradingView
