Fake Zoom Crypto Hacks Linked to North Korea

• SEAL warns North Korean crypto hacks using fake Zoom calls increase daily.
• Scam involves malware download during fake video meetings to steal keys.
• Over $300 million already stolen from victims through this tactic.

Cybersecurity nonprofit Security Alliance warns they are seeing multiple daily attempts by North Korean hackers to target victims using fake Zoom meetings. The organization tracks the escalating threat as part of broader North Korean crypto hacks.

The scam begins with tricking victims into downloading malware. Hackers steal sensitive data including passwords and private keys once devices are infected.

Security researcher Taylor Monahan warned that the tactic has already looted over $300 million from users. The approach is a new vector for North Korean crypto hacks that combine social engineering with technical exploitation.

Fake Zoom crypto hacks start with familiar contacts

Monahan explained the scam starts with a message from a Telegram account of someone known to the victim. The familiarity creates a false sense of security that lowers defenses.

The conversation leads to an invitation to catch up over Zoom. Hackers share a link before the call that is masked to look legitimate.

“There you can see the person + some of their partners/colleagues. These videos are not deepfakes as widely reported. They are real recordings from when they got hacked or public sources (podcasts),” Monahan stated.

The videos use legitimate footage rather than AI-generated deepfakes. This makes the deception more convincing and harder to detect during initial contact.

Malware infection occurs during fake meeting

Once the call begins, the hackers feign audio issues and send a patch file to fix the supposed problem. Opening the file infects devices with malware that grants hackers access to the system.

The hackers then end the fake call under the pretense of rescheduling for another day. This prevents immediate detection of the compromise.

“Unfortunately, your computer is already compromised. They just play it cool to prevent detection. They will eventually take all your crypto. And your passwords. And your company/protocol’s shit. And your Telegram account. Then you will go on to rekt all your friends,” Monahan stated.

The malware operates silently after installation. Hackers wait before extracting cryptocurrency and credentials to avoid raising suspicion.

Immediate response required after clicking malware

Monahan warns that anyone who clicked on a link shared during a suspicious Zoom call should immediately disconnect from WiFi. Users must turn off the affected device right away.

Users should employ another device to transfer cryptocurrency to new wallets. All passwords require changing and two-factor authentication should be activated where possible.

Performing a full memory wipe on the infected device is necessary before using it again. This removes the malware completely from the compromised system.

North Korean actors use Telegram for crypto hacks

The hackers gain control of Telegram accounts and use the stored contacts to find and scam new victims. This creates a chain of compromises that spreads through professional networks.

North Korean hackers have stolen over $6 billion in digital assets since 2017. The funds support the regime’s nuclear and ballistic missile programs.

2025 saw major escalation in North Korean crypto hacks. The Bybit breach in February resulted in approximately $1.46 billion stolen, marking the largest cryptocurrency theft in history.

The FBI labeled the Bybit operation “TraderTraitor.” Hackers compromised an Ethereum cold wallet and moved 401,000 ETH from the exchange.

Recent crypto hacks target major exchanges

Upbit suffered a breach in November 2025 with approximately $30.4 million stolen. South Korea’s largest exchange was breached again following a 2019 attack by suspected Lazarus actors.

The 2024 DMM Bitcoin hack in Japan resulted in $308 million stolen in May. Hackers compromised the exchange’s wallet and took 4,502 BTC from the platform.

WazirX in India lost $235 million in July 2024. Attackers drained a multisig wallet, taking nearly 45% of the exchange’s reserves.

BingX hot wallets were breached in September 2024 with $43-52 million stolen. The attackers quickly swapped stolen assets including ETH and BNB to evade freezing attempts. The fake Zoom tactic is an evolution in North Korean cyber operations.