The call featured a seemingly real video of people he knows, and he suspects the attack was linked to North Korea’s Lazarus Group. Developers are also being targeted by another North Korean group through fake job offers and malware-laced coding tests hosted on GitHub. Meanwhile, Ethereum Name Service founder Nick Johnson warned about a highly convincing phishing email campaign impersonating Google, which uses Google Sites and DKIM-authenticated alerts to harvest user credentials.
Manta Exec Targeted in Zoom Scam
Manta Network co-founder Kenny Li revealed he was the target of an advanced phishing attack that used a realistic Zoom call and live recordings of familiar people to lure him into downloading malware. In an April 17 post on X, Li shared more details about the incident, and said that everything about the Zoom meeting appeared authentic, including the video feed of someone he knew, but the audio was missing and a suspicious prompt appeared urging him to update Zoom by downloading a script file. This immediately raised alarm bells, which pushed him to exit the call.
After the Zoom session, Li tried to verify the person's identity via a Telegram call, but the impersonator refused, deleted all previous messages, and blocked him. He later shared screenshots of the interaction, which included a suggestion from him to move the meeting to Google Meet, which the attacker ignored. Li suspects the North Korean state-sponsored Lazarus Group was behind the attempted attack and believes that the real person's account was compromised.
In an interview, Li placed a lot of emphasis on the fact that the video footage seemed genuine, not AI-generated, and resembled standard webcam quality. He believes the attackers used old recordings of actual team members to simulate a live call.
The Manta executive warned others in the crypto space to be especially cautious of any unexpected requests to download files, and described these kinds of prompts as a major red flag. He also wanted people about just how emotionally manipulative and mentally taxing these attacks can be, particularly for busy executives that are used to spontaneous calls and messages.
Other people in the crypto community reported experiencing similar scams. A member of ContributionDAO recounted how attackers tried to force a Zoom installation via a custom link, claiming it was a business-only version, and declined to switch platforms when asked to use Google Meet. Additionally, crypto researcher “Meekdonald” shared that someone close to them fell for an identical scam that Li narrowly escaped.
North Korean Hackers Target Crypto Devs
The North Korean hackers linked to the $1.4 billion Bybit exploit are now also reportedly targeting cryptocurrency developers through a deceptive recruitment campaign involving fake coding tests that are embedded with malware. According to cybersecurity outlet The Hacker News, developers are being approached by people posing as recruiters, primarily through LinkedIn. These imposters offer enticing job opportunities and eventually send over a GitHub-hosted document that contains a supposed coding assignment. Once opened, the file installs stealer malware capable of compromising the developer’s device and gaining access to sensitive information.
(Source: Hacker News)
The malicious campaign is attributed to the North Korean state-backed hacking group known as Slow Pisces, which is also referred to as Jade Sleet, Pukchong, TraderTraitor, and UNC4899. The primary goal of these attackers seems to be stealing credentials, SSH keys, iCloud Keychain contents, wallet access, API keys, and cloud configurations. These tools are then used to breach the employer’s infrastructure and identify vulnerabilities for future exploits.
Security experts, including Hakan Unal of Cyvers and Luis Lubeck of Hacken, explained how these attackers build credible profiles on professional platforms like LinkedIn, and sometimes extend their activities to freelance platforms like Upwork and Fiverr. The scammers often present themselves as clients or hiring managers offering lucrative roles, especially in DeFi or Web3 security, to make the offers seem legitimate.
(Source: Hacker News)
Hayato Shigekawa from Chainalysis pointed out that hackers even go as far as creating realistic resumes and employee personas to trick developers. Their ultimate objective is to gain a foothold in the target company through compromised developer credentials. Once inside, they conduct reconnaissance to identify and exploit weaknesses in the system.
Cybersecurity professionals warned that developers should be extremely cautious when receiving unsolicited job offers or assignments. Yehor Rudytsia from Hacken stressed that attackers are evolving, and are using both psychological and technical tactics to bypass defenses.
To minimize risks, developers are advised to use virtual machines and sandboxes for testing unknown code, verify the legitimacy of job offers through official channels, and avoid running or installing unverified code. Storing sensitive information securely and using robust endpoint protection can also serve as critical lines of defense.
Fake Google Alerts Trick Users
Nick Johnson, the founder and lead developer of Ethereum Name Service (ENS), also recently issued a warning about an extremely sophisticated phishing attack that impersonates Google and tricks users into revealing their login credentials.
In an April 16 post on X, Johnson explained that the attack sends a fake security alert, claiming the user’s Google data is being shared with law enforcement due to a subpoena. The phishing email looks highly convincing, passing Google's DKIM signature check and showing up in Gmail alongside legitimate security alerts without any warning indicators.
The scam lures users into clicking a link to “view case materials” or protest the data request. The link leads to a Google Sites page—hosted on a Google subdomain—which increases its credibility. Johnson explained that while he didn’t follow the process all the way through, the goal is likely to harvest login credentials and compromise the user’s account.
Though the use of Google’s domain name adds legitimacy to the scam, there are still some red flags, like the email being forwarded from a private address. According to a recent report by software firm EasyDMARC, the attack exploits Google Sites and the OAuth app infrastructure, allowing scammers to craft emails that seem to come from a genuine “no-reply@google” address while masking the true reply address.
(Source: X)
Because DKIM only verifies the message and headers but not the envelope, these emails pass Gmail’s validation checks and appear as authentic messages. According to Johnson, this loophole allows phishing emails to be threaded into conversations with real Google alerts, making detection even more difficult.
Google acknowledged the threat and confirmed that it is working on countermeasures. A spokesperson said that the company is shutting down the mechanism allowing the inclusion of arbitrary-length text in the message, which will prevent the current form of the attack. Google also identified the threat actor behind the campaign as "Rockfoils" and said that protective measures were rolled out over the past week, with full deployment expected soon.
