- The scam relies on Telegram impersonation and pre recorded video calls to build trust.
- Malware is delivered as a fake audio or SDK patch during the meeting.
- Security Alliance says it is tracking multiple such attempts every day.
North Korean cybercriminals are escalating social engineering attacks by exploiting fake Zoom and Teams meetings to deploy malware that drains sensitive data and cryptocurrency wallets.
Cybersecurity firm Security Alliance, also known as SEAL, has warned that it is tracking multiple daily attempts linked to these campaigns.
The activity highlights a shift toward more convincing, real-time deception rather than crude phishing.
The warning follows disclosures by MetaMask security researcher Taylor Monahan, who has been monitoring the pattern closely and flagging the scale of losses already linked to the tactic.
The method relies on familiarity, trust, and workplace habits, making it particularly effective against professionals in crypto and tech who regularly use video conferencing tools.
How the fake Zoom scam works
The attack typically begins on Telegram, where victims receive a message from an account that appears to belong to someone they already know. The attackers specifically target contacts with existing chat history, increasing credibility and lowering suspicion.
Once engagement starts, the victim is guided toward scheduling a meeting through a Calendly link, which leads to what looks like a legitimate Zoom call.
When the meeting opens, the victim sees what appears to be a live video feed of their contact and other team members.
In reality, the footage is pre-recorded, not AI-generated deepfakes.
During the call, the attacker claims there are audio issues and suggests installing a quick fix.
A file is shared in the chat and presented as a patch or software development kit update to restore sound clarity.
That file contains the malware payload. Once installed, it gives the attacker remote access to the victim’s device.
Malware impact on crypto wallets
The malicious software is often a Remote Access Trojan. After installation, it silently extracts sensitive information, including passwords, internal security documentation, and private keys.
In crypto-focused environments, this can result in complete wallet drainage with little immediate indication of compromise.
Monahan has warned on X that more than $300m has already been stolen using variations of this approach, and that the same threat actors continue to exploit fake Zoom and Teams meetings to compromise users.
SEAL has echoed the concern, noting the frequency and consistency of these attempts across the crypto sector.
North Korea’s evolving cyber playbook
North Korean hacking groups have long been linked to financially motivated cybercrime, with proceeds believed to support the regime.
Groups such as Lazarus have previously targeted exchanges and blockchain firms through direct exploits and supply chain attacks.
More recently, these actors have leaned heavily into social engineering.
In recent months, they have infiltrated crypto companies using fake job applications and staged interview processes designed to deliver malware.
Last month, Lazarus was linked to a breach at South Korea’s largest exchange, Upbit, which resulted in losses of roughly $30.6 million.
The fake Zoom tactic reflects a broader strategic pivot toward human-centric attack vectors that bypass technical safeguards.
What experts say users should do
Security experts warn that once a malicious file is executed, speed matters.
In cases of suspected infection during a call, users are advised to immediately disconnect from WiFi and power off the device to interrupt data exfiltration.
The broader warning is to treat unexpected meeting links, software patches, and urgent technical requests with extreme caution, even when they appear to come from known contacts.
