**
North Korean Hackers Exploit Fake Zoom Meetings to Steal Crypto and Data
**A new wave of highly convincing social engineering attacks is sweeping the cryptocurrency space, targeting professionals who regularly use video conferencing tools like Zoom and Teams. Cybersecurity firm Security Alliance (SEAL) has warned that it's tracking multiple daily attempts linked to these campaigns, which are tied to North Korean hackers.
The attacks rely on familiarity, trust, and workplace habits, making them particularly effective against professionals in crypto and tech who regularly use video conferencing tools. The tactic involves using fake Zoom meetings to deploy malware that drains sensitive data and cryptocurrency wallets, with more than $300 million already stolen using variations of this approach, according to MetaMask security researcher Taylor Monahan.
**
How the Fake Zoom Scam Works
**The attack typically begins on Telegram, where victims receive a message from an account that appears to belong to someone they already know. The attackers specifically target contacts with existing chat history, increasing credibility and lowering suspicion.
Once engagement starts, the victim is guided toward scheduling a meeting through a Calendly link, which leads to what looks like a legitimate Zoom call. When the meeting opens, the victim sees what appears to be a live video feed of their contact and other team members. In reality, the footage is pre-recorded, not AI-generated deepfakes.
During the call, the attacker claims there are audio issues and suggests installing a quick fix. A file is shared in the chat and presented as a patch or software development kit update to restore sound clarity. That file contains the malware payload.
**
The Malicious Payload: Remote Access Trojan
**Once installed, the malicious software gives the attacker remote access to the victim's device. The Remote Access Trojan (RAT) silently extracts sensitive information, including passwords, internal security documentation, and private keys. In crypto-focused environments, this can result in complete wallet drainage with little immediate indication of compromise.
**
North Korean Hacking Groups: A Long History of Financially Motivated Cybercrime
**North Korean hacking groups have long been linked to financially motivated cybercrime, with proceeds believed to support the regime. Groups such as Lazarus have previously targeted exchanges and blockchain firms through direct exploits and supply chain attacks.
In recent months, these actors have leaned heavily into social engineering. They have infiltrated crypto companies using fake job applications and staged interview processes designed to deliver malware. Last month, Lazarus was linked to a breach at South Korea's largest exchange, Upbit, which resulted in losses of roughly $30.6 million.
**
What Experts Say Users Should Do
**Security experts warn that once a malicious file is executed, speed matters. In cases of suspected infection during a call, users are advised to immediately disconnect from WiFi and power off the device to interrupt data exfiltration.
The broader warning is to treat unexpected meeting links, software patches, and urgent technical requests with extreme caution, even when they appear to come from known contacts. Experts emphasize that users should be vigilant and take proactive measures to protect themselves against these highly convincing social engineering attacks.