On May 1, 2026, Web3 founder Amy O. Khaldoun shared a chilling experience on LinkedIn: $20,000 was siphoned from her MetaMask wallets following a fake Microsoft Teams interaction [1]. This theft highlights a new generation of social engineering attacks, far more sophisticated than simple, poorly spelled phishing emails.
A Sophisticated and Coordinated Attack
The attack on Amy Khaldoun was anything but amateur. The scammers organized a video call where they appeared on screen, communicating fluently and professionally. They knew exactly how to guide the conversation to build trust.
Even more concerning, the Telegram account of one of the callers (whom Amy's co-founder knew personally) had been previously hacked. This identity theft served as a moral guarantee to lower the victim's guard. Trusting them, she was manipulated into executing a command in her terminal, unknowingly installing a Remote Access Trojan (RAT). Within moments, the attackers took control of her machine and drained her wallets before she even realized what was happening.
BlueNoroff: The Professionals of Crypto Theft
This method perfectly matches the modus operandi of BlueNoroff (also known as Sapphire Sleet), a financially motivated subgroup of the notorious North Korean Lazarus Group. According to a report by Arctic Wolf Labs published in late April 2026, this group is currently conducting a global campaign specifically targeting executives in the Web3 and crypto sectors [2].
Their technique is formidable:
- They use weaponized Calendly invitations that redirect to "typo-squatted" Zoom or Teams links (URLs that look almost identical to the real ones).
- They deploy "ClickFix" style attacks that infect the victim's machine in under five minutes.
- They use stolen videos from these fake calls, combined with artificial intelligence, to create deepfakes and trap future victims [3].
How to Protect Your Assets (Hifz al-Mal)
In the vision of the Crypto P2P Club, protecting your wealth (Hifz al-Mal) is an absolute ethical priority. Faced with these threats, caution is no longer enough; impeccable security hygiene is required.
Here are the essential lessons to remember:
- Isolate Your Wallets: Never keep your crypto wallets on the computer you use for your daily work or general web browsing.
- Use Cold Storage: Limit the exposure of your "hot wallets" (like MetaMask or Sahal Wallet) to the amounts needed for your current transactions. For the rest, use a "cold wallet" (hardware wallet) disconnected from the internet. Both solutions are complementary for maximum security.
- Beware of Video Calls: A face on a screen is no longer proof of identity. Deepfakes and pre-recorded videos are commonplace.
- Verify Through Another Channel: If a contact asks you for an unusual action (screen sharing, code execution, fund transfer), verify their identity through another secure communication channel.
- Never Share Your Screen: Unless you have absolute certainty about the identity of your interlocutor and the security of the platform.
Modern social engineering exploits our trust. By understanding these mechanisms, we can regain control and navigate Web3 in an ethical and secure manner.
Disclaimer: This content is shared for educational purposes and does not constitute financial advice.
References
[1] LinkedIn (2026). Amy O. Khaldoun's post on the $20k theft. https://www.linkedin.com/posts/amykhaldoun_20k-dollars-stolen-from-my-wallets-after-share-7455634750397947904-JHg7 [2] Arctic Wolf Labs (2026). BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector. https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/ [3] Dark Reading (2026). BlueNoroff Turns Victims Into New Attack Lures. https://www.darkreading.com/cyberattacks-data-breaches/bluenoroff-turns-victims-into-new-attack-lures