THORChain Co-Founder’s Wallet Drained $1.35M in DPRK Telegram Scam

THORChain co-founder JP lost $1.35 million from a personal wallet on Sept. 9 after falling victim to a Telegram phishing scam linked to North ￰2￱ attack combined a hacked Telegram account, a deepfake Zoom call, and what he believes was a zero-day ￰3￱ loss joins the list of recent high-profile losses in the crypto ￰4￱ month, billionaire heiress Taylor Thomson lost over $80 million in crypto after investments tied to a psychic. Similarly, earlier this month, a crypto investor lost $3.05M after signing a malicious transaction. $1.2M THORChain Wallet Drained in Telegram Deepfake Scam, Investigators Confirm Blockchain investigator ZachXBT confirmed the incident, stating that JP’s wallet was drained after he joined a fake meeting link shared through ￰5￱ had earlier reported the breach, reporting that approximately $1.2 million had been stolen from a THORChain user’s ￰6￱ wallet likely belongs to @jpthor who had a private wallet compromised due to a fake meeting scam a few days ￰7￱ is one of the people whose has greatly benefited financially from the laundering of DPRK hacks/exploits.

So it’s a bit poetic he got rekt here by ￰8￱ — ZachXBT (@zachxbt) September 12, 2025 Unravelling the stolen funds, JP explained in a post on X that the funds were tied to an old MetaMask account he had ￰9￱ wallet contained staked assets that did not appear on Etherscan, making it easy to overlook. Yes, an old metamask (which I had completely forgotten about) was ￰10￱ had access to my encrypted entire iCloud + ￰11￱ – only the private keys (radioactive) were ￰12￱ wallets were untouched, despite also using iCloud. They're safe -… ￰13￱ — JP (@jpthor) September 12, 2025 JP also explained that the scam began when a friend’s Telegram account was ￰14￱ attackers invited him to a Zoom call, where a deepfake video was used to increase ￰15￱ clicked a link during the call but saw no suspicious prompts or requests for ￰16￱ believes the attackers may have accessed his encrypted iCloud Keychain or a separate Chrome profile on his Mac, where MetaMask keys were stored.

“There was no request for admin passwords or installation,” JP wrote. “It has to be an active or recently patched 0-day.” Ok so this attack finally manifested ￰17￱ an old metamask cleaned out (which I forgot about, it was staking some assets which don’t appear on etherscan unless you use portfolio tracking sites) Summary 1) friend’s hacked telegram account + deep-fake video on zoom 2)… ￰0￱ — JP (@jpthor) September 9, 2025 In a bid to recover the stolen funds, on-chain data flagged by Lookonchain showed a new message sent to the exploiter’s ￰18￱ message, recorded on Etherscan, offered a bounty if the stolen THOR tokens were returned within 72 hours, promising “no legal action” if the hacker complied and provided contact details for the THORSwap team.

Notably, ZachXBT noted that THORChain and its co-founder had previously profited from the laundering of funds tied to DPRK exploits, including hacks on exchanges like Bybit. “It’s a bit poetic he got rekt here by DPRK,” ZachXBT ￰19￱ the lessons learned from the experience, JP emphasized that private keys grow riskier the longer they are stored, urging users not to back them up on iCloud, Google Drive, or similar ￰20￱ also recommended using two-factor authentication on a separate device, such as a burner phone, to reduce ￰21￱ added that threshold signature wallets like Vultisig, which split key shares across multiple devices, represent the next stage of crypto security.

“Attacks are going to only get worse,” JP said. “It can be solved; we just need to upgrade our wallets.” Telegram Scams Surge: $2.2B Lost in 2025 as Malware Attacks Overtake Phishing By the end of June this year, crypto investors had lost $2.2B , mostly from wallet breaches and ￰22￱ Intelligence confirmed that over 1,000 hacks, scams, and DeFi breaches have stolen $22.7B in crypto across 14 years of tracked incidents. Specifically, Scam Sniffer reported that crypto scammers are targeting Telegram, where malware scams have surged 2,000% since November and overtaken traditional ￰23￱ spread malware through bogus verification bots in trading, airdrop, and alpha groups, allowing them to steal passwords, private keys, and wallet data once users execute malicious ￰24￱ the abundance of hacks on Telegram, last year, the United Nations estimated scams , money laundering, and stolen data sales on Telegram generated more than $36.5 billion annually, often through ￰25￱ also promote deepfake tools and malware, with the ￰26￱ linking Huione Group to $98 billion in illicit crypto flows tied partly to North Korea’s Lazarus ￰27￱ shuts down $27 billion Huione crypto scam marketplace but rivals surge 400% volume as criminal networks quickly migrate to successor platforms like Tudou Guarantee. #Telegram #CryptoScam ￰1￱ — ￰28￱ (@cryptonews) June 24, 2025 To curb this, Telegram shut down Huione Guarantee in May 2025, but rival Tudou Guarantee quickly absorbed its users and drove a 400% surge in activity.

Similarly, Telegram shut down thousands of channels tied to Xinbi and Huione Guarantee , which processed over $35 billion in illicit USDT transactions, Elliptic ￰29￱ platforms used encrypted groups to sell money laundering, stolen data, and fake IDs, with Huione linked to Cambodia’s ruling elite.