A fake Zoom update is all hackers need to seize crypto funds, cloud data, and entire Telegram accounts.
Cybersecurity firm Security Alliance (SEAL) said it is tracking multiple attempts daily by North Korea-linked threat actors using so-called “fake Zoom” or “fake Teams” meetings to spread malware and expand access to new victims.
The nonprofit reshared a detailed alert from security researcher Taylor Monahan, outlining how the attacks are unfolding and the extent of the associated losses.
Fake zoom calls, real losses
Monahan said the campaign starts with a message from a compromised Telegram account of someone the victim already knows. These often have an intact previous conversation history, which reduces suspicion and leads to an invitation to reconnect via a video call scheduled via a shared link.
During the call, victims are shown what appear to be legitimate participants, using real recordings taken from previously hacked accounts or public materials instead of deepfakes, before attackers claim technical issues and instruct targets to apply an update or fix.
The provided file or command, usually disguised as a Zoom Software Development Kit (SDK) update, installs malware that silently compromises the device on Mac, Windows, and Linux systems. This allows attackers to exfiltrate cryptocurrency wallets, passwords, private keys, seed phrases, cloud credentials, and Telegram session tokens.
She said more than $300 million has already been stolen using the method, and attackers often delay further contact to avoid detection after the initial infection. SEAL said social engineering is central to the campaign, adding that victims are repeatedly reassured when they raise concerns and encouraged to move forward quickly to avoid wasting the time of the apparent contact.
Monahan warned that once a device is compromised, attackers take control of the victim’s Telegram account and use it to message contacts and repeat the scam. This creates a cascade effect through professional and social networks.
You might also like:
The researcher urged anyone who clicked on a suspicious link to immediately disconnect from the Internet, turn off the affected device and avoid using it, secure funds with another device, change passwords and login credentials, and completely wipe the affected computer before using it again. She also emphasized the need to secure Telegram by terminating all other sessions from a phone, updating passwords and enabling multi-factor authentication to prevent further spread.
Lazarus-style tactics
Over the past year, several platforms have flagged phishing campaigns using fake Zoom meeting links to steal millions in cryptocurrency. Binance founder Changpeng “CZ” Zhao warned of rising AI deepfake scams after crypto influencer Mai Fujimoto was hacked during a fake Zoom call. Attackers used a deepfake impersonation and a malicious link to install malware, compromising her Telegram, MetaMask and X accounts.
Bitget CEO Gracy Chen also warned of a growing wave of phishing attacks using fake Zoom and Microsoft Teams meeting invitations to target crypto professionals. Last week, Chen said attackers pose as legitimate meeting hosts, often contacting victims via Telegram or fake Calendly links.
During the call, they claim audio or connection issues and urge targets to download a so-called network update or SDK, which is essentially malware designed to steal passwords and private keys. Chen said the tactic mirrors the methods used by the Lazarus group and explained that scammers have been impersonating Bitget representatives.
SECRET PARTNERSHIP BONUS for CryptoPotato readers: Use this link to register and unlock $1,500 in exclusive BingX Exchange rewards (limited time offer).
#SEAL #warns #daily #fake #Zoom #attacks #North #Korean #hackers #weaponize #famous #faces