Overview

• Attackers first compromised a contact’s Telegram account and sent an official-looking Zoom link that displayed a convincing deepfake during a brief call.
• A script copied iCloud documents and accessed Keychain data to extract keys from an inactive Chrome profile, with the victim reporting no system prompts and suggesting an unconfirmed zero-day.
• Roughly $1.3 million to $1.35 million was siphoned, with PeckShield flagging the theft on-chain before investigators and media confirmed the victim’s identity.
• Vultisig multi-signature wallets were not breached, as one compromised key share was insufficient to move funds.
• An on-chain message offered a bounty and a 72-hour window for returning assets, and security analysts say the scheme fits a broader pattern tied to North Korea-linked, AI-enabled social engineering.