Cybercriminals are recruiting teams of professional voice impersonators to target high-level U.S. crypto executives through sophisticated phone-based social engineering attacks, with operatives earning up to $20,000 monthly in what researchers call "vishing" campaigns.

A new report from GK8 by Galaxy reviewed by Decrypt reveals how threat actors have moved beyond traditional phishing emails to build organized criminal enterprises targeting crypto leaders with personalized voice and video campaigns.

The attacks use curated executive datasets, voice impersonation, and professional infrastructure to exploit individuals who safeguard custody infrastructure and private keys—raising the risk of "large-scale crypto theft."

In June, GK8 researchers discovered recruitment posts on restricted underground forums where established threat actors sought experienced "callers" to execute targeted attacks against senior executives at leading U.S. crypto firms.

The posts included sample target lists containing five crypto executives, including senior legal officers, engineers, financial controllers, and CTOs, all with minimum net worths of approximately $500,000.

"We validated the reputation of threat actors on these forums by examining vouches, claims, ratings, the account creation date of the vendor and forum reputation," Tanya Bekker, Head of Research at GK8, told Decrypt when asked how her team confirmed the legitimacy of these operations.

"According to the threat actors, this data comes from fresh compromises," Bekker said about the executive datasets driving these campaigns.

‘Vishing’ campaigns on the rise

Unlike traditional phishing emails, Bekker said modern “vishing” campaigns are "highly targeted and personalized" and focus on "high-value crypto executives and professionals with privileged access."

“They employ voice and video impersonation, deepfake content, and meticulously tailored pretexts based on detailed datasets about the victims,” she said.

Threat actors reportedly deploy Voice over Internet Protocol systems, direct inward dialing numbers, and SMS capabilities to impersonate banks, crypto services, and government agencies.

Forum posts reveal compensation ranging from $15 per 20-minute call to over $20,000 monthly for experienced operatives, according to the report.

"We observe that some operators work on a long-term basis, building organized groups that function like a professional fraud industry," Bekker told Decrypt. "It is a business, and threat actors take their job very seriously."

Bekker said attackers increasingly use "deepfake voices and video" and "Real-time AI-driven attacks" in their operations.

While the specific case reviewed was focused on U.S. executives, she said similar campaigns operate in Germany, the UK, and Australia.

Social engineering attacks and crypto

Recent incidents point to the broader scope of social engineering threats facing the crypto industry.

North Korean operatives have created fake companies and used deepfakes during job interviews to infiltrate crypto firms, with attackers stealing $1.34 billion across 47 incidents in 2024 alone.

Jimmy Su, Binance's chief security officer, previously told Decrypt that his exchange receives fake resumes daily from suspected North Korean attackers who now use "voice changers during their interviews, and the video was a deepfake."

The main detection method, Su said, is that attackers "almost always have a slow internet connection" due to translation and voice-changing technology working during calls.

The GK8 report documents how threat actors are shifting focus from mass phishing campaigns to "quality over quantity" targeting.

Over the next 12-18 months, Bekker warned that attacks will become more sophisticated as "distinguishing between fake and reality will become increasingly difficult" and said crypto organizations must defend against "customized social engineering attacks that exploit human vulnerabilities."

She recommended that executives "assume their personal information has already been exposed" and ensure "high-value transactions should not be confirmed by a single individual."

Bekker emphasized that "social engineering thrives on human error" and companies need "specific protocols and training on voice and video social engineering tactics."

“With highly personalized scams on the rise, companies need to accept that even the most trusted insiders can be duped,” she said. “Separate roles and private keys, so no single person has full signing power.”

The GK8 report reveals threat actors specify detailed recruitment criteria for callers, including accent preferences, gender selection, language capabilities, and availability across time zones to match specific target profiles and maximize victim engagement during peak hours.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。