- The scam relies on Telegram impersonation and pre-recorded video calls to build trust.
- Malware is delivered as a fake audio or SDK patch during the meeting.
- Security Alliance says it is tracking multiple such attempts every day.
North Korean-linked cybercriminals are intensifying social engineering campaigns by using fake Zoom and Microsoft Teams meetings to install malware that steals sensitive data and empties cryptocurrency wallets.
Security Alliance (SEAL) reports it is tracking multiple daily attempts tied to these operations, underscoring a move toward more convincing, real-time deception instead of traditional phishing tactics.
MetaMask security researcher Taylor Monahan has also been monitoring this pattern and raising the alarm about the significant losses already attributed to this tactic.
These attacks exploit familiarity, workplace habits, and trust, making them especially effective against professionals in the crypto and technology sectors who frequently rely on video conferencing tools.
How the fake Zoom scam works
The attack usually begins on Telegram. Victims receive a message from an account that appears to belong to a known contact; attackers deliberately target conversations with existing chat history to increase credibility and reduce suspicion.
Once the victim engages, they are directed to schedule a meeting via a link to a calendar scheduling service, which leads to what looks like a legitimate Zoom call.
When the meeting starts, the victim sees what appears to be a live video of their colleague and other team members. In reality, the footage is pre-recorded rather than AI-generated deepfakes.
During the call, the impersonator claims there are audio problems and suggests installing a quick fix. A file is shared in the meeting chat and presented as an audio patch or SDK update to restore sound quality.
That file contains the malware payload. Once installed, it gives attackers remote access to the victim’s device and the ability to exfiltrate data.
Malware impact on crypto wallets
The malicious software is frequently a Remote Access Trojan (RAT). After installation, it operates stealthily to harvest passwords, internal security documents, and private keys.
In environments focused on cryptocurrency, this often leads to full wallet drainage with little immediate sign of compromise.
Monahan has warned that variations of this approach have already been used to steal more than $300 million, and the same threat actors continue to exploit fake Zoom and Teams meetings to compromise users. SEAL has echoed these concerns, noting the frequency and consistency of such attempts across the crypto sector.
North Korea’s evolving cyber playbook
For years, North Korean-linked groups have been associated with financially motivated cybercrime, with illicit proceeds believed to support the regime. Groups such as Lazarus have historically targeted cryptocurrency exchanges and blockchain firms through direct exploits and supply-chain attacks.
Recently, these actors have shifted heavily toward social engineering. In recent months they have used fake job applications and staged interview processes to gain access and deliver malware.
Last month, Lazarus was connected to a breach at South Korea’s largest exchange, Upbit, which resulted in roughly $30.6 million in losses. The fake Zoom tactic reflects a broader strategic pivot toward human-focused attack vectors designed to bypass technical defenses.
What experts say users should do
Security professionals emphasize that once a malicious file is executed, rapid action is essential. If a user suspects infection during a call, they are advised to immediately disconnect from Wi‑Fi and power off the device to interrupt potential data exfiltration.
More generally, treat unexpected meeting invitations, unsolicited software patches, and urgent technical requests with extreme caution—even when they appear to come from familiar contacts. Verify meeting requests through an independent channel, avoid installing unverified software, and maintain up-to-date anti-malware protections and endpoint monitoring to reduce exposure.