TL;DR North Korean-linked threat actors pulled off a $285M heist against crypto exchange Drift using IN-PERSON social engineering. They deployed proxies to global conferences to befriend Drift contributors, spent 6 months building a relationship as customers, and even deposited $1M of their own funds to prove they were legitimate.

✨️✨️✨️

Here is what happened:

🔹 Starting in the fall of 2025, a group of individuals (later linked to North Korea) started attending international crypto conferences, with a goal in mind. These proxies were technically fluent, had fully constructed professional identities, with employment histories, and looked nothing like a North Korean.

🔹 This group, posing as employees of a quantitative trading firm, first 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡𝐞𝐝 𝐬𝐩𝐞𝐜𝐢𝐟𝐢𝐜 𝐃𝐫𝐢𝐟𝐭 𝐜𝐨𝐧𝐭𝐫𝐢𝐛𝐮𝐭𝐨𝐫𝐬 𝐚𝐭 𝐚 𝐦𝐚𝐣𝐨𝐫 𝐜𝐫𝐲𝐩𝐭𝐨 𝐜𝐨𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞 𝐟𝐚𝐜𝐞-𝐭𝐨-𝐟𝐚𝐜𝐞. They wanted to discuss integrating with the platform.

🔹 After the initial discussions, they moved their conversations to Telegram, where they spent months discussing legitimate trading strategies.

🔹 "What a pleasant coincidence running into you again!"

Over the next 6 months, the attackers deliberately sought out these same contributors at multiple global conferences. They wanted to continue building trust and credibility.

🔹 Dec. 2025 - Jan. 2026: To checkmate the game, the group onboarded an Ecosystem Vault on Drift. They engaged with the Drift contributors in working sessions, asked relevant & informed questions and eventually, they 𝐝𝐞𝐩𝐨𝐬𝐢𝐭𝐞𝐝 𝐨𝐯𝐞𝐫 $1 𝐦𝐢𝐥𝐥𝐢𝐨𝐧 𝐨𝐟 𝐭𝐡𝐞𝐢𝐫 𝐨𝐰𝐧 𝐟𝐮𝐧𝐝𝐬 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐩𝐫𝐨𝐭𝐨𝐜𝐨𝐥.

🔹 (excerpt from Drift's Incident Update): "Integration conversations continued through February & March 2026. (...) By this point, the relationship was nearly half a year old. 𝐓𝐡𝐞𝐬𝐞 𝐰𝐞𝐫𝐞 𝐧𝐨𝐭 𝐬𝐭𝐫𝐚𝐧𝐠𝐞𝐫𝐬; 𝐭𝐡𝐞𝐲 𝐰𝐞𝐫𝐞 𝐩𝐞𝐨𝐩𝐥𝐞 𝐃𝐫𝐢𝐟𝐭 𝐜𝐨𝐧𝐭𝐫𝐢𝐛𝐮𝐭𝐨𝐫𝐬 𝐡𝐚𝐝 𝐰𝐨𝐫𝐤𝐞𝐝 𝐰𝐢𝐭𝐡 𝐚𝐧𝐝 𝐦𝐞𝐭 𝐢𝐧 𝐩𝐞𝐫𝐬𝐨𝐧. (...) Links were shared for projects, tools, and apps they claimed to be building"

🔹 𝐀 𝐫𝐞𝐥𝐚𝐭𝐢𝐨𝐧𝐬𝐡𝐢𝐩 𝐡𝐚𝐝 𝐛𝐞𝐞𝐧 𝐞𝐬𝐭𝐚𝐛𝐥𝐢𝐬𝐡𝐞𝐝, 𝐜𝐨𝐧𝐭𝐫𝐢𝐛𝐮𝐭𝐨𝐫𝐬 𝐝𝐢𝐝𝐧'𝐭 𝐭𝐡𝐢𝐧𝐤 𝐭𝐰𝐢𝐜𝐞 𝐰𝐡𝐞𝐧 𝐜𝐨𝐥𝐥𝐚𝐛𝐨𝐫𝐚𝐭𝐢𝐧𝐠 𝐝𝐢𝐠𝐢𝐭𝐚𝐥𝐥𝐲. Drift presumes there may have been multiple technical attack vectors: One contributor may have been compromised after cloning a code repository shared by the group as part of efforts to deploy a frontend for their vault. A second contributor was persuaded into downloading a wallet product via Apple's TestFlight to beta test the app.

On April 1, 2026, as the $285 million was drained, the attackers scrubbed their Telegram chats and vanished.

(Full Incident Background Update from Drift is on X.)

If you think AI and deepfakes are THE name of the game in "sophisticated" social engineering attacks, think again. AI-generated deepfakes are often just one step (a final blow) in a larger social engineering kill-chain.

In this week's social engineering case, we see a layered intrusion involving a compromised Telegram account, a fake Zoom meeting, a ClickFix-style infection vector and, as a last step, an AI-generated video.

𝐖𝐡𝐚𝐭 𝐡𝐚𝐩𝐩𝐞𝐧𝐞𝐝?

🔸 The threat actor initiates contact with a specific victim via Telegram, using a legitimate but compromised account of an executive, to leverage existing trust.

🔸 After building rapport through industry-specific conversation, the actor invites the victim to a call, and sends a Calendly link to schedule it.

🔸 The Calendly link redirects to a spoofed Zoom meeting hosted on the threat actor's infrastructure: zoom[.]uswe05[.]us
𝘛𝘩𝘪𝘴 𝘪𝘴 𝘵𝘩𝘦 𝘧𝘪𝘳𝘴𝘵 𝘰𝘣𝘷𝘪𝘰𝘶𝘴 𝘳𝘦𝘥 𝘧𝘭𝘢𝘨 𝘵𝘩𝘢𝘵 *𝘤𝘰𝘶𝘭𝘥* 𝘩𝘢𝘷𝘦 𝘣𝘦𝘦𝘯 𝘴𝘱𝘰𝘵𝘵𝘦𝘥. 
𝘉𝘶𝘵, 𝘸𝘩𝘦𝘯 𝘢 𝘵𝘩𝘳𝘦𝘢𝘵 𝘢𝘤𝘵𝘰𝘳 𝘵𝘢𝘬𝘦𝘴 𝘵𝘩𝘦 𝘵𝘪𝘮𝘦 𝘵𝘰 𝘣𝘶𝘪𝘭𝘥 𝘵𝘳𝘶𝘴𝘵 𝘸𝘪𝘵𝘩 𝘢 𝘵𝘢𝘳𝘨𝘦𝘵 𝘧𝘪𝘳𝘴𝘵, 𝘵𝘩𝘦 𝘵𝘳𝘶𝘴𝘵-𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳𝘦𝘯𝘤𝘦 𝘮𝘦𝘤𝘩𝘢𝘯𝘪𝘴𝘮 𝘬𝘪𝘤𝘬𝘴 𝘪𝘯. 𝘈𝘯𝘥 𝘵𝘩𝘦𝘯, 𝘵𝘩𝘦 𝘭𝘪𝘵𝘵𝘭𝘦 𝘳𝘦𝘥 𝘧𝘭𝘢𝘨𝘴 𝘵𝘩𝘢𝘵 𝘧𝘰𝘭𝘭𝘰𝘸 𝘵𝘦𝘯𝘥 𝘵𝘰 𝘨𝘦𝘵 𝘰𝘷𝘦𝘳𝘭𝘰𝘰𝘬𝘦𝘥. 𝘈𝘴 𝘵𝘩𝘦𝘺 𝘥𝘪𝘥.

🔸 The call begins. The victim sees the video of a CEO from another company. Or, purportedly, their deepfake version.

🔸 And then hey, "the audio is broken!". If only that could quickly get fixed...there are only 20 minutes left in the call.
This is where the ClickFix-style social engineering begins. The the threat actor directs the victim to run troubleshooting commands on their system to fix the issue.

🔸 Embedded within the string of commands is a single command that initiates a multi-stage infection chain, ultimately deploying 7 distinct malware families (described in the report).

"Proven play? Replay".
This is not a one time hit. Mandiant has observed UNC1069 using these techniques to target both corporate entities and individuals within the cryptocurrency industry, as well as venture capital firms and their employees or executives. The list will expand.

Sophisticated social engineering attacks remain the ones that contain multiple elaborate steps that eventually build on each other to make the scheme work.

Full report:
https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering

#socialengineering #deepfakes #infosec #threatintelligence

𝐎𝐮𝐫 "𝐅𝐮𝐧𝐝𝐚𝐦𝐞𝐧𝐭𝐚𝐥𝐬 𝐨𝐟 𝐂𝐲𝐛𝐞𝐫 𝐈𝐧𝐯𝐞𝐬𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧𝐬 𝐚𝐧𝐝 𝐇𝐮𝐦𝐚𝐧 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞" 𝐜𝐥𝐚𝐬𝐬 𝐢𝐬 𝐫𝐞𝐭𝐮𝐫𝐧𝐢𝐧𝐠 𝐭𝐡𝐢𝐬 𝐬𝐩𝐫𝐢𝐧𝐠 𝐭𝐨 Black Hat Asia 𝐢𝐧 𝐒𝐢𝐧𝐠𝐚𝐩𝐨𝐫𝐞! 🎉

Join Samuel Lolagar and me on the 21st & 22nd of April for two days full of learning, hands-on exercises, real life case studies and the latests developments in #OSINT #SOCMINT and #HUMINT.

You will learn how to conduct an in-depth digital investigation on a subject, discover new leads, uncover and utilize all the evidence that are hiding in plain sight (and beyond) and conduct virtual HUMINT in an uncomplicated, step-by-step process.
We have seen firsthand the power of these techniques and we firmly believe in the effectiveness of combining these complementary intelligence disciplines.

We are looking forward to passing these skills on to our new group of attendees.
Hope to see you there!

P.S. There will be a class challenge, and a reward :)

Training details & registration: https://blackhat.com/asia-26/training/schedule/?track[]=human

#BlackHatAsia #BHAsia #OSINT #opensourceintelligence #humanintelligence #socialengineering

Berlin was faced with a 2nd arson attack on their power grid within a few months, leaving again thousands of households without power, for days. During this incident, several systems were damaged simultaneously deeming any backup systems, ineffective.
An attack like this requires planning, and it starts from reconnaissance.

How did the attackers know to set fire on one specific bridge that contained five high-voltage and ten medium-voltage cables, causing a major power outage in the area?
Can someone find sufficient information on a city's power grid infrastructure available on the internet?
Yes, they can. With more detail than there should be.

This is where platforms like the Open Infrastructure Map ("OpenInfraMap") enter the game.
𝐎𝐩𝐞𝐧𝐈𝐧𝐟𝐫𝐚𝐌𝐚𝐩 (𝐡𝐭𝐭𝐩𝐬://𝐨𝐩𝐞𝐧𝐢𝐧𝐟𝐫𝐚𝐦𝐚𝐩.𝐨𝐫𝐠/) is an open-source web platform that provides a layered, detailed visualization on global infrastructure data like 𝘱𝘰𝘸𝘦𝘳, 𝘵𝘦𝘭𝘦𝘤𝘰𝘮, 𝘰𝘪𝘭 𝘢𝘯𝘥 𝘨𝘢𝘴 𝘯𝘦𝘵𝘸𝘰𝘳𝘬𝘴, 𝘸𝘢𝘵𝘦𝘳 𝘪𝘯𝘧𝘳𝘢𝘴𝘵𝘳𝘶𝘤𝘵𝘶𝘳𝘦 𝘢𝘯𝘥 𝘮𝘢𝘫𝘰𝘳 𝘳𝘢𝘪𝘭 𝘱𝘰𝘸𝘦𝘳 𝘴𝘺𝘴𝘵𝘦𝘮𝘴 𝘪𝘯𝘧𝘳𝘢𝘴𝘵𝘳𝘶𝘤𝘵𝘶𝘳𝘦 (the data is crowdsourced from OpenStreetMap).

Don't think that searching this map needs to take time, by using Overpass Turbo (also with the help of with any LLM that it is compatible with) one can significantly trim the search time and concentrate their research through queries.

Looking at the OpenInfraMap data in combination with satellite imagery, it is easy to see why this point of attack was chosen: all the 110 Κilovolt high-voltage lines that supply southwest Berlin converge into a single cable bridge that is overground, accessible, near a sparsely populated area, with plenty of hiding spaces (trees, etc).

The Google street view imagery provides some extra help in reviewing some of the physical security and the surrounding area in preparation of a better plan.

The OpenInfraMap in combination with Google maps is just one simple example of potential adversarial OSINT. There is more publicly available information and databases that can be researched, found, and used in similar acts of sabotage (or worse, given the geopolitical state we are currently in).

It is scary easy for saboteurs or other attackers to find vulnerabilities on critical infrastructure free & available online, and to focus on the locations/points where an attack could have the maximum impact.
This incident has not been an isolated event.

What can be done? If you work on securing a critical infrastructure entity:

🔹 Run your own OSINT analysis to identify vulnerabilities in advance. Know your level of exposure.

Control what you can:
🔹 Where possible, ask platforms to add blur or remove certain imagery. Aim for less detail in what can be visible, even through crowdsourced images.

🔹 Prioritize based on risk and take practical steps to implement better security measures on those vulnerable, identified spots before an adversary exploits them.

#OSINT #BerlinBlackout

3 resources / 1 post

Open AI has released a new report outlining the ways in which threat actors used their generative AI products to support their social engineering attack operations. They provide the case studies.

https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-june-2025/

Why is this useful?

🔹 The operations described in the report help give us a better understanding of how threat actors are *realistically* trying to abuse GenAI models. No guesses, no fancy assumptions, just the observed TTPs.

🔹 I know that some of you in my network (and some of our clients) had to deal with the attacks documented. This will hit home.

🔹 Ultimately, we can use this report help us further improve our defense strategies with reality in mind.

🔹 In the comments, you will find 2 additional reports (from Anthropic & Google) on how GenAI has been used in social engineering attacks. They provide a more holistic understanding on how these tools are being used by adversaries.

---------

2 additional reports on how GenAI has been used in social engineering attacks. They provide a more holistic understanding on how these tools are being used by adversaries:

Report by Anthropic (Claude): https://www.anthropic.com/news/detecting-and-countering-malicious-uses-of-claude-march-2025

Report by Google (government-backed threat actor use of the Gemini): https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai

Happy news!! This September at BruCon we will be taking a deep dive into #socialengineering and #OSINT through a 3-day, hands-on training class!
I SO look forward to it and to meeting the participants!! 🤩👩🏻‍💻

Full class content & details:
https://www.brucon.org/training-details/social-engineering-open-source

The rise of Agentic AI has opened new frontiers for adversaries looking to automate and scale social engineering attacks. We are entering a phase where Agentic AI systems will be able act autonomously, make decisions, adapt based on feedback, and complete goal-oriented operations with minimal human intervention.

I wrote an article explaining what Agentic AI really is, and how it can shape the future of social engineering attacks. ⬇️

https://christina-lekati.medium.com/when-ai-goes-rogue-how-agentic-ai-will-reshape-social-engineering-attacks-b795838c1aaa

#AgenticAI #SocialEngineering #cybersecurity

If you are using HUMINT techniques in your cyber threat intelligence process, this is a talk worth watching!
Eliska and Julien do a very good job in breaking down some important concepts including the risks, benefits and analytical aspects of using HUMINT tactics in a CTI workflow and provide some of their own experiences in an easy to understand way.

As a side note, HUMINT in CTI is not meant to replace the technical analysis, but to complement it. It is meant to fill in some gaps with intel that cannot be found through a technical analysis or other passive intelligence collection disciplines. That may include a threat actor's motives, future targets, skill/group developments, future plans, etc.

Happy watching!

https://youtu.be/o1TTO5d1DXQ?si=ScY3uyG63ixNl2Zs