- The scam relies on impersonation via Telegram and pre-recorded video calls to build trust.
- Malware is delivered as a fake audio patch or SDK during the meeting.
- Security Alliance says it tracks several such attempts every day.
North Korean cybercriminals are escalating social engineering attacks by exploiting fake Zoom and Microsoft Teams meetings to deploy malware that steals sensitive data and drains cryptocurrency wallets.
Cybersecurity firm Security Alliance, also known as SEAL, has warned that it observes multiple daily attempts related to these campaigns.
This activity represents a shift toward more convincing, real-time deception instead of crude phishing attempts.
The warning follows disclosures by MetaMask security researcher Taylor Monahan, who has closely tracked the pattern and highlighted the scale of losses already linked to this tactic.
The scheme leverages workplace familiarity, trust, and routine, making it particularly effective against crypto and technology professionals who regularly use video conferencing tools.
How the fake Zoom scam works
The attack typically begins on Telegram, where victims receive a message from an account that appears to belong to someone they already know. Attackers deliberately target contacts with existing chat history to increase credibility and reduce suspicion.
Once interaction starts, the victim is directed to schedule a meeting via a Calendly link that leads to what looks like a legitimate Zoom call.
When the meeting opens, the victim sees what appears to be a live video stream of their contact and other team members.
In reality, the videos are pre-recorded rather than AI-generated deepfakes.
During the call, the attacker claims there are audio problems and suggests installing a quick fix.
A file is shared in the meeting chat and presented as a patch or a development kit update to restore audio clarity.
That file contains the malware payload. Once installed, it gives the attacker remote access to the victim’s device.
Malware impact on crypto wallets
The malicious software is often a remote access trojan. After installation, it quietly harvests sensitive information, including passwords, internal security documentation, and private keys.
In crypto-focused environments, this can result in complete wallet depletion with few immediate signs of compromise.
Monahan warned on X that variants of this approach have already been used to steal more than $300 million and that the same threat actors continue to exploit fake Zoom and Teams meetings to compromise users.
SEAL has expressed concern about the frequency and consistency of these attempts targeting the crypto sector.
North Korea’s evolving cyber playbook
North Korean hacking groups have long been associated with financially motivated cybercrime, with proceeds believed to support the regime.
Groups such as Lazarus previously targeted exchanges and blockchain firms through direct exploits and supply-chain attacks.
More recently, these actors have turned heavily to social engineering.
In recent months they have infiltrated crypto companies using fake job applications and staged interview processes designed to deliver malware.
Last month, Lazarus was linked to a breach at South Korea’s largest exchange, Upbit, which resulted in reported losses of roughly $30.6 million.
The fake Zoom tactic reflects a broader strategic pivot toward human-centered attack vectors that bypass technical safeguards.
What experts advise users to do
Security experts warn that once a malicious file is executed, speed matters.
In suspected infections during a call, users are advised to disconnect from Wi‑Fi immediately and power down the device to interrupt data exfiltration.
The broader warning is to treat unexpected meeting links, software patches, and urgent technical requests with extreme caution—even when they appear to come from known contacts.