Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / coincentral /
North Korean Hackers Swipe $300 Million in Elaborate Fake Zoom Meeting Heist

North Korean Hackers Swipe $300 Million in Elaborate Fake Zoom Meeting Heist

Author:
coincentral
Published:
2025-12-15 08:47:28
11
3

North Korean Hackers Steal $300 Million Through Fake Zoom Meeting Scam

Forget the bank vault—the new heist happens in your browser. A state-sponsored cyber unit just pulled off one of the most audacious digital thefts of the year, netting a staggering $300 million without firing a single shot.

The Bait-and-Switch Playbook

It started with a calendar invite. A seemingly legitimate Zoom link, complete with corporate branding and plausible attendees. Once inside the virtual meeting room, targets were directed to click a link to 'review critical documents.' That click was the trapdoor—deploying malware that siphoned credentials and bypassed multi-factor authentication like it was child's play.

Why This One Worked

The sophistication wasn't in the code, but in the social engineering. The hackers mimicked internal workflows perfectly, exploiting the blurred lines between home and office. They didn't hack the firewall; they hacked human trust during the most vulnerable point of the modern workday—another tedious video call.

The Digital Asset Angle

While the initial breach targeted traditional finance channels, forensic trails show rapid conversion into cryptocurrency through layered mixing services. It's a stark reminder: decentralized networks move value faster than any compliance department can say 'suspicious activity report.' The old guard's security protocols are playing checkers while rogue states play 4D chess with blockchain rails.

The Uncomfortable Truth

This isn't just another hack. It's a $300 million demonstration that our digital infrastructure has gaping holes dressed up as features. The same tools that enable global collaboration also enable global theft at scale. And somewhere in a boardroom, a CFO is probably still arguing that cybersecurity is a cost center rather than the only thing standing between them and eight zeroes disappearing into the ether—proving once again that some institutions learn the price of security only after paying for it in full.

TLDR

  • North Korean hackers are stealing crypto through fake Zoom and Microsoft Teams meetings, with over $300 million taken so far
  • Scammers hijack Telegram accounts of trusted contacts and use real video recordings to appear legitimate during calls
  • Victims are tricked into downloading malware after hackers fake technical issues and request software patches
  • The malware gives hackers full control to drain crypto wallets, steal passwords, and take over Telegram accounts to target more victims
  • Anyone who clicks suspicious links should disconnect WiFi immediately, transfer crypto to new wallets, and wipe their device

North Korean hackers have stolen over $300 million from crypto users through a fake video meeting scam. The warning comes from Security Alliance (SEAL), a cybersecurity nonprofit that now sees multiple daily attempts of this attack.

SEAL is tracking multiple DAILY attempts by North Korean actors utilizing “Fake Zoom” tactics for spreading malware as well as escalating their access to new victims.

Social engineering is at the root of the attack. Read the thread below for pointers on how to stay secure. https://t.co/2SQGdtPKGx

— Security Alliance (@_SEAL_Org) December 13, 2025

Security researcher Taylor Monahan says the scam targets crypto executives and industry professionals. The hackers use fake Zoom and Microsoft Teams meetings to trick victims into downloading malware.

The attack begins when hackers take control of a Telegram account belonging to someone the victim knows. This could be a venture capitalist or someone they met at a conference. The hackers use the existing chat history to appear legitimate.

The cybersecurity nonprofit Security Alliance (SEAL) warned that North Korean hackers are using fake Zoom meetings to carry out cryptocurrency scams, with attacks now occurring daily. Researcher Taylor Monahan said the method has caused losses of over $300 million, typically…

— Wu Blockchain (@WuBlockchain) December 15, 2025

The compromised contact then invites the victim to a video call. They share a LINK that looks real, often through a fake Calendly page. When the call starts, the victim sees what appears to be their contact on video.

However, the video feed is not a deepfake as many reports claim. Monahan explains that hackers use real recordings from podcasts or previous hacked meetings. They simply loop this footage during the fake call.

The Critical Moment

During the call, the attacker pretends to have audio or video problems. They then ask the victim to download a patch file or update a software development kit to fix the issue. This file contains malware that infects the victim’s device.

Once installed, the malware is typically a Remote Access Trojan (RAT). This gives hackers complete control over the victim’s computer. They can access crypto wallets, passwords, and company information.

The hackers don’t steal everything right away. They end the call casually and claim they will reschedule. This prevents the victim from realizing they have been compromised until it is too late.

What Happens After Infection

The malware eventually drains all cryptocurrency from the victim’s wallets. It also steals passwords and takes over the victim’s Telegram account. The hackers then use this account to target the victim’s contacts with the same scam.

Monahan warns that anyone who clicks a suspicious link during a Zoom call should act immediately. First, disconnect from WiFi and turn off the infected device. Then use another device to transfer crypto to new wallets.

Recovery Steps

Victims should change all passwords and activate two-factor authentication on all accounts. They must perform a full memory wipe on the infected device before using it again. Securing the Telegram account is critical to stop the spread.

To secure Telegram, open the app on a phone and go to settings. Navigate to devices and terminate all other sessions. Change the password and add or update multifactor authentication.

Monahan stresses that victims must tell everyone if their Telegram gets hacked. The compromised account will be used to scam friends and contacts. She says people need to put pride aside and warn others immediately.

The fake meeting scam is part of a larger offensive by North Korean actors. They have stolen an estimated $2 billion from the crypto sector over the past year. This includes the recent Bybit breach.

Security researchers now consider any request to download software during a live call as an active attack signal. The scam weaponizes professional courtesy and business meeting pressure to force security lapses.

SEAL reports they are seeing multiple attempts of this scam every day. The hackers continue to refine their methods and target new victims across the crypto industry.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved

All articles reposted on this platform are sourced from public networks and are intended solely for the purpose of disseminating industry information. They do not represent any official stance of BTCC. All intellectual property rights belong to their original authors. If you believe any content infringes upon your rights or is suspected of copyright violation, please contact us at [email protected]. We will address the matter promptly and in accordance with applicable laws.BTCC makes no explicit or implied warranties regarding the accuracy, timeliness, or completeness of the republished information and assumes no direct or indirect liability for any consequences arising from reliance on such content. All materials are provided for industry research reference only and shall not be construed as investment, legal, or business advice. BTCC bears no legal responsibility for any actions taken based on the content provided herein.