North Korean Hackers Drain $300M from Crypto Wallets Using ’Fake Zoom’ Scam
Zoom in on disaster: North Korean state-backed hackers are impersonating the video conferencing giant to siphon digital assets from unsuspecting users. The sophisticated phishing campaign has already netted a staggering $300 million, targeting crypto wallets with surgical precision.
The Anatomy of a Digital Heist
Forget clumsy email scams. This operation leverages fake Zoom installers and meeting invitations, tricking users into downloading malware that hijacks wallet credentials and seed phrases. It's social engineering at its most polished—exploiting the trust built around a household name in remote work.
Why Crypto Remains a Prime Target
The decentralized, often anonymous nature of blockchain transactions creates a perfect storm for bad actors. Once funds move across the chain, they're nearly impossible to recover—a feature that cuts both ways for innovation and security. Traditional finance would have regulators swarming, but in crypto, you're often your own first and last line of defense.
The $300 Million Wake-Up Call
This isn't petty theft; it's a state-level extraction operation funding geopolitical ambitions. The sheer scale underscores a brutal truth: as crypto adoption grows, so does its attractiveness as a high-value target. Security isn't just a feature—it's the entire foundation.
Building Fortresses, Not Just Wallets
The industry's response will define its next chapter. Expect a massive push toward institutional-grade custody solutions, hardware wallet adoption, and behavioral biometrics. The race isn't just to build the next DeFi protocol, but to make it impervious to attacks that would make a central bank blush. After all, in traditional finance, losing your password might lock you out of your account; in crypto, it can make you a direct sponsor of a missile program—talk about negative yield.
Fake Zoom Modus Operandi – “They’re Taking Over Your Telegrams”
According to Monahan, the scam typically begins with a message from a Telegram account, appears to belong to someone the victim knows.
“They message everyone with prior conversation history,” he said.
The hacker, disguised as the “known person,” then guides the victim to a Zoom LINK via Calendly. Once the meeting starts, the victim sees a live video feed of their contact and other team members, which is a recorded video in reality, rather than deepfakes.
The hacker then complains about the lack of audio clarity, sending a “patch” file via chat and asking the victim to restore the clarity by updating a software development kit, or SDK. The file shared contains the malware payload.
The malware, often a Remote Access Trojan (RAT), if installed, will exfiltrate sensitive data, including internal security protocols, passwords, and drain crypto wallets completely.
North Korean Hackers’ Strategic Pivot in Social Engineering Campaigns
North Korean hackers, including the infamous Lazarus Group, have been previously linked to high-profile crypto thefts aimed at generating millions in revenue.
For instance, recently sophisticated North Korean hackers infiltrated crypto companies through elaborate job application schemes and fake interview processes.
Last month, the Lazarus Group orchestrated a major cryptocurrency breach that drained roughly $30.6 million from South Korea’s largest exchange, Upbit.
In the latest ‘fake Zoom’ call tactic, experts have warned users to immediately disconnect from WiFi and power off the device to halt malware activity.
If you clicked…
– DISCONNECT WIFI
– TURN COMPUTER OFF
– DO NOT USE COMPUTER.
– ONLY USE PHONE/IPAD.
– MOVE funds out of your wallets to new/secure hardware or CEX accounts. Change all your passwords, AWS keys, etc.
– Wipe the computer completely before using it again. pic.twitter.com/C5NTGu4bsR
The latest attack comes at a time when global crypto thefts have reached $2.17 billion in stolen assets by mid-2025.
