- The scam relies on impersonating Telegram accounts and using pre-recorded video calls to build trust.
- The malware is delivered as a fake audio patch or SDK during the meeting.
- Security Alliance says it is tracking multiple daily attempts of this type.
North Korean cybercriminals are ramping up social engineering attacks that use fake Zoom and Teams meetings to deploy malware designed to steal sensitive data and drain cryptocurrency wallets.
Cybersecurity firm Security Alliance, also known as SEAL, has warned that it is tracking multiple daily attempts linked to these campaigns.
The activity highlights a shift toward more convincing, real-time deception rather than blunt phishing attempts.
This warning follows reporting by MetaMask security researcher Taylor Monahan, who has been tracking the pattern and calling attention to the scale of losses already tied to the tactic.
The method leverages familiarity, trust, and workplace habits, making it especially effective against crypto and tech professionals who regularly use video conferencing tools.
How the fake Zoom scam works
The attack often begins on Telegram, where targets receive a message from an account that appears to belong to someone they know. Attackers specifically target contacts with an existing chat history, increasing credibility and reducing suspicion.
Once interaction begins, the victim is guided to schedule a meeting via a Calendly link that leads to what appears to be a legitimate Zoom call.
When the meeting starts, the victim sees what looks like a live broadcast of their contact and other team members.
In reality, the video is pre-recorded, not AI-generated deepfakes.
During the call, the attacker claims there are audio problems and suggests installing a quick fix.
A file is shared in the chat and presented as an audio patch or software development kit update to restore sound clarity.
That file contains the malware payload. Once installed, it gives the attacker remote access to the victim’s device.
Impact of the malware on cryptocurrency wallets
The malicious software is typically a remote access Trojan. After installation, it quietly exfiltrates sensitive information, including passwords, internal security documents, and private keys.
In crypto-focused environments, this can lead to a complete draining of wallets with little immediate sign of compromise.
Monahan has warned on social media that more than $300 million has already been stolen using variations of this approach, and the same malicious actors continue to exploit fake Zoom and Teams meetings to compromise users.
SEAL has expressed concern about the frequency and consistency of these attempts within the crypto sector.
North Korea’s evolving cyber playbook
North Korean hacking groups have long been associated with financially motivated cybercrime, and their proceeds are widely believed to support the regime.
Groups such as Lazarus have previously targeted exchanges and blockchain firms through direct exploits and supply-chain attacks.
More recently, these actors have shifted heavily toward social engineering.
In recent months, they have infiltrated crypto companies using fake job applications and staged interview processes designed to deliver malware.
Last month, Lazarus was linked to a breach at South Korea’s largest exchange, Upbit, resulting in estimated losses of around $30.6 million.
The fake Zoom tactic reflects a broader strategic move toward human-centered attack vectors that evade technical safeguards.
What experts recommend users do
Security experts warn that once a malicious file runs, speed matters.
If infection is suspected during a call, users are advised to immediately disconnect from Wi‑Fi and power down the device to interrupt data exfiltration.
The general guidance is to treat unexpected meeting links, software patches, and urgent technical requests with extreme caution—even if they appear to come from known contacts.