- The scam uses Telegram impersonation and pre-recorded video calls to build trust.
- Malware is delivered as fake audio or SDK patches during meetings.
- The Security Alliance says it tracks such attempts several times daily.
Cybercriminals in North Korea are expanding their social engineering attacks by exploiting fake Zoom and Teams meetings to distribute malware that leaks sensitive data and cryptocurrency wallets.
Cybersecurity firm Security Alliance, also known as SEAL, warned that it is tracking several daily attempts related to such campaigns.
This activity highlights the shift from crude phishing to more persuasive real-time fraud.
The warning comes after it was revealed by MetaMask security researcher Taylor Monahan, who has been closely monitoring the pattern and has already indicated the scale of losses associated with the tactic.
This method is especially effective for cryptocurrency and technology professionals who regularly use video conferencing tools, as it relies on familiarity, trust, and workplace habits.
How Fake Zoom Scams Work
Attacks typically begin on Telegram, where victims receive messages from an account that appears to belong to someone they already know. Attackers specifically target contacts with existing chat history to increase trust and reduce suspicion.
Once engagement begins, victims are directed to schedule a meeting via a Calendly link that looks like a legitimate Zoom call.
When a meeting opens, victims see what appears to be a live video feed of their contacts and other team members.
In fact, the video is not an AI-generated deepfake, but a pre-recorded video.
During the call, the attacker claims there is an audio problem and offers to install a quick fix.
Files are shared in chat and delivered as patches or software development kit updates to restore sound clarity.
The file contains a malware payload. Once installed, attackers can remotely access the victim’s device.
Impact of malware on cryptocurrency wallets
Malicious software is often a remote access Trojan. After installation, it automatically extracts sensitive information such as passwords, internal security documents, and private keys.
In a cryptocurrency-centric environment, wallets can be completely depleted with little to no immediate signs of compromise.
Monahan warned that more than $300 million has already been stolen using a variation of this approach against X, and that the same threat actors continue to exploit fake Zoom and Teams meetings to compromise users.
SEAL expressed concern, noting the frequency and consistency of these attempts across the cryptocurrency sector.
North Korea’s evolving cyber playbook
North Korean hacking groups have long been associated with financially motivated cybercrime that funds support for the North Korean regime.
Groups like Lazarus have previously targeted exchanges and blockchain companies through direct attacks and supply chain attacks.
Recently, these actors have relied heavily on social engineering.
In recent months, they have infiltrated cryptocurrency companies using fake job applications and a staged interview process designed to deliver malware.
Last month, Lazarus suffered a loss of approximately $30.6 million in connection with a breach at Upbit, Korea’s largest exchange.
Fake Zoom tactics reflect a broader strategic pivot toward human-centric attack vectors that bypass technological safeguards.
What experts say you should do
Security experts warn that speed is important when running malicious files.
If infection is suspected during a call, users are advised to immediately disconnect from WiFi and power off the device to stop data leakage.
The broader warning is to handle unexpected meeting links, software patches, and urgent technical requests with extreme caution, even if they appear to come from known contacts.