Skip to main content
zeroShadow

DPRK

Case Studies

News

DPRK's Dangerous Password and How to Avoid Their Tactics

Oct 9, 2025 | 5 min read

North Korea’s “DangerousPassword” hackers stole $185M in 2025 using fake VC calls and malware; zeroShadow warns and shares defense steps.

Logos of Zoom, Google Meet, and Microsoft Teams with red exclamation marks, overlaid on a dark background featuring an ominous network node, representing video conferencing hacks.

If you track crypto-focused threat actors, you’ve likely seen headlines of large heists linked to the North Korean-linked group DangerousPassword. There have been at least 17 successful thefts associated with Dangerous Password since the start of 2025. In this ever changing world of crypto, it's important to understand how this group operates. In this article we will discuss the tactics, the financial motives, and how they conduct these attacks.

Who is DangerousPassword?

With origins as early as 2018 , DangerousPassword Group is known for highly sophisticated cyber attacks. Often used as an umbrella term, this group is linked to the overarching North Korean Lazarus Group. Their goal is to use malicious links/cyber attacks to obtain financial information, passwords, seed phrases, and in general any secret information that they can access to. In 2025, Dangerous Password has already stolen $185M USD.

DangerousPassword aliases

SquidSquad, CryptoCore, APT38, Bluenoroff, Alluring Pisces, Leery Turtle, SnatchCrypto, CryptoMimic, UNC1069, Black Alicanto.

X post explaining how fake VC calls exploit audio issues to trick victims into installing malware.

Crypto security analysts have documented this group on X

Who is getting targeted by DangerousPassword?

DangerousPassword usually targets wealthy individuals. They are often in top positions of the company such as CEO, CFO, COO, etc. Victims are often targeted through social engineering/spearphishing emails, LinkedIn emails, or Telegram messages.

In many thefts, DPRK will impersonate Venture Capitalists (VCs), posing as an employee that works at the VC. Initial invitations offer a chance for victims to work together on a new product or solution.

How do they deliver the malware?

The following infographic summarizes the step by step process in which the threat actors typically perform.

Red infographic showing five steps of DPRK phishing attacks via fake video meeting links.

Threat actors will start a dialogue impersonating a member of the C-suite and schedule a meeting on Google Meet, Teams, or Zoom. On all ends the messages appear legitimate, with no alerts raised. However, once clicking the accept link, the victim is unable to join the call or experiences technical issues (audio, visual, etc). Other times there will be a message the meeting is “restricted” along with a faulty domain name (Example: 'support[.]internal-meeting[.]site').

When the victim questions what is going on, the threat actor offers solutions such as a step-by-step guide on how to resolve the issue. It is at this point that the threat actor will ask the victim to run code in the command line interface and ultimately deliver the malware to the victim's device. Here are a few stories that highlight this very issue:

Individual victim Spring 2024

We had a chance to speak to a victim who wishes to remain anonymous. The victim described meeting a VP from a venture capital firm in Kuala Lumpur via mutual contacts. They had chatted and met in real life. Then, a few months later, this VP asked for a meeting and sent a Microsoft Teams link for the call (defanged for this article):

hxxps[://]foresight[.]team-meets[.]site/roundtable-talk-with-foresight-team/roomID=3570947&meetingID=0918108

A message appeared saying that there was an issue with their IP/Location and the “VP” sent a link to fix the issue. Soon after following the steps, AppleScript was infiltrated with malware. It turns out that the real VP had been hacked by North Korea, and this victim did not know.

Individual victim Spring 2025

An individual was approached by a known venture capitalist friend on Telegram. It turns out that their friend’s Telegram was previously hacked by North Korea. The attacker, posing as the friend, asked for an urgent meeting and sent a link for the call (defanged for this article):

hxxps:{://]reforge.zoom[.]us/j/8308910611?pwd=OwtH7U38fiHuCFjOPso2wCfdKdglxz.1

Once they clicked on the meeting, the individual experienced audio issues and was given specific repair instructions for his location, which was already known by the “friend.” The repair instructions downloaded malware and they lost personal funds.

Fake video call screenshot with audio error message prompting user to “Repair” the issue.

However, not all attacks are the same

Sometimes, victims are prompted to download a file named IP_Request.scpt which contains malware and likely will compromise the victim’s device. Other attacks include  inserting malicious code  into a file named builder.py in the Python module , which is for handling QR codes. These affect all system environments including Windows, macOS, and even Linux.

The scary fact about Dangerous Password is that this malicious group is always evolving. Though the pattern remains the same, it's important to know how they’ve adapted and changed how they’ve targeted victims.

If Targeted, what should you do?

If you are targeted. It’s important to remain calm and follow some immediate steps:

File a report

If you find unauthorized transactions or suspicious activity, please file a report as soon as possible.

History, Indicators, and Resources

There have been many posts about DangerousPassword from security analysts. Here is a great blog post by Hunt.io with some indicators you might be dealing with North Korean Threat Actors. Note that these tactics always evolve over time.

Table listing IP addresses and domains used in phishing attacks by DangerousPassword group.

Other articles:

Original article by the zeroShadow team

Share this post