On June 25, 2025, David Zhang, co-founder of the stablecoin platform Stably and the public grant protocol dTRINITY, revealed a highly sophisticated phishing attack in a post on X (formerly Twitter).
Unlike traditional phishing that simply lures victims into clicking malicious links, this attack used social engineering techniques that impersonated a trusted contact by hijacking their account. The attacker pushed a fake Zoom meeting and delivered malware disguised as a Zoom installation file. When Zhang hesitated, the attacker insisted on using Zoom and refused alternatives like Google Meet—indicating a well-prepared attack scenario.
This article details the full attack process and demonstrates how Criminal IP was used to trace the phishing domain and identify the associated threat infrastructure, ultimately uncovering the hacking group behind the campaign.
Zoom-themed Phishing with a Fake Meeting Request
The attacker initiated contact by proposing a collaboration between zkVerify and a DeFi protocol, requesting a virtual meeting. On the day of the meeting, they sent a link disguised to look like an official Zoom URL.
However, the link led to a phishing site that automatically downloaded a malicious .pkg file named Zoom.pkg, which mimicked a legitimate Zoom installer. The attacker even rejected the use of Google Meet, persisting with Zoom in line with a carefully scripted social engineering plan.
Threat Infrastructure Analysis Using Criminal IP
Using Criminal IP Domain Search, we examined the domain embedded in the phishing link. It was anonymously registered on May 14, 2025, and hosted through HOSTWINDS.
The associated IP address was identified as 23.254.247.XX.
A follow-up investigation via Criminal IP Asset Search revealed that this IP address is part of an infrastructure used by Lazarus, a North Korean state-sponsored hacker group, and its sub-group Bluenoroff.
Given that the target was an executive in the cryptocurrency space, Bluenoroff—which is known for financially motivated cyberattacks—is probably behind the incident.
| Hacking Group | Description |
|---|---|
| Lazarus | A sub-group of Lazarus focused on cryptocurrency theft and financial exploitation. |
| Bluenoroff | North Korean APT group conducting cyberattacks for political, military, and economic objectives. |
The IP address had RDP (port 3389) open, and further analysis of its SSL certificate data via Criminal IP uncovered additional malicious infrastructure associated with the attacker.
By searching for “Bluenoroff” in Criminal IP Hacking Group Search, users can access a centralized dashboard that includes detection dates, related news articles, targeted countries, and other aggregated intelligence on the group’s activities.
FAQ
1. How can you determine if a phishing domain is linked to a known hacker group?
Criminal IP analyzes metadata and threat infrastructure from billions of global assets (IPs, domains, etc.). By correlating domain usage patterns, connected IP addresses, SSL certificates, and historical malicious activity, Criminal IP can automatically associate domains with known threat actors. Even a single domain can yield strong indicators when contextual infrastructure is included.
2. Can you identify the hacker solely based on a domain?
Not conclusively. However, Criminal IP enhances attribution by combining multiple indicators—IP history, hosting provider, open ports, and SSL data—to analyze threat infrastructure patterns. These patterns can then be mapped to the known behavior of APT groups for high-confidence attribution.
Conclusion
This case demonstrates a highly targeted social engineering attack that goes beyond conventional phishing emails. The attacker mimicked trusted contacts and used tailored scenarios to deliver malware. Yet, even a single phishing link, when investigated using Criminal IP, can reveal the attacker’s identity and infrastructure—by analyzing domains, IPs, and SSL certificates. This incident reinforces the importance of threat intelligence-driven detection and analysis in defending against advanced cyber threats.
In relation to this, please refer to Kimsuky Hackers Create Phishing Site Mimicking Korea University: Are They Targeting Entire Research Institutions?
Sources: Criminal IP (https://www.criminalip.io/), David Zhang (https://x.com/dazhengzhang)
Related Article: