North Korean Hackers Exploit Fake Zoom to Steal Crypto

North Korean hackers have increased their attacks and attack bases by creating fake Zoom and Teams meetings to steal cryptocurrencies and sensitive information. According to the cybersecurity company Security Alliance, these attacks take advantage of social engineering, a hacking technique that depends on the confidence level in professional networks.

The hackers start by hijacking a victim’s Telegram account, messaging known contacts, and sending a disguised link to schedule a call. Once victims interact, the attackers push malicious updates disguised as Zoom fixes, compromising computers across Mac, Windows, and Linux systems.

The firm shared cybersecurity expert Tay’s warning, which stated, “It all starts with the Telegram account of someone you know. They message everyone with prior conversation history. People you met at a conference. Or were introduced by a close friend. VCs. BDs. YOU CAN SEE THE CONVERSATION HISTORY. YOU KNOW THIS PERSON!” This approach tricks people by using familiar contacts, making them more likely to click on malicious links.

How the scam unfolds

The attack process is elaborate. Once a victim clicks the link, hackers request an “update” such as “Zoom Update SDK.scpt,” which secretly runs malware via AppleScript. Tay explained, “The malware EXFILTRATES EVERYTHING across Mac, Windows, and Linux. – All your wallets – Everything in password managers, Apple Notes, etc. – Your Telegram history + session auth tokens – Passwords, seed phrases, SSH keys, AWS creds.” Consequently, victims lose access to both personal and corporate assets, and their Telegram account becomes a tool to target others.

Attackers even simulate legitimate Zoom errors and provide screenshots, convincing victims to follow instructions. Tay added, “They are very very helpful. If you express skepticism, they quickly alleviate your concerns. Really smart people fall for this.” Victims often remain unaware that their systems have already been compromised.

Recent crypto heists signal escalation

This method aligns with North Korea’s recent cryptocurrency thefts. On November 27, South Korea’s largest crypto exchange, Upbit, suffered a $32 million hack. Yonhap News reported authorities suspect the Lazarus Group, linked to North Korea’s Reconnaissance General Bureau, orchestrated the attack. 

The breach targeted hot wallets storing Solana-based tokens like SOL and USDC. Upbit halted withdrawals, transferred funds to cold wallets, and launched a full investigation. A government source noted, “Rather than attacking the server, it is possible that the administrator account was hijacked or that the funds were transferred by pretending to be the administrator.”

Similarly, in August, Lazarus Group allegedly stole £17 million from the UK-based crypto exchange Lykke. The attack forced the company to shut down operations despite promising reimbursements. Authorities cited Bitcoin and Ethereum networks as channels used to launder stolen funds, highlighting the sophisticated nature of North Korean cyber campaigns.

Protecting yourself and your assets

Tay emphasized immediate action for affected users, “DISCONNECT WIFI – TURN COMPUTER OFF – DO NOT USE COMPUTER. ONLY USE PHONE/IPAD. Move funds to secure wallets or exchanges. Wipe the computer completely before using it again.” 

Additionally, users have been urged to secure Telegram accounts by terminating all other sessions and updating passwords and MFA. Promptly informing contacts is critical to prevent further breaches.

North Korea’s cyberattacks show that personal and work devices can be vulnerable. Even cautious users can be tricked by clever scams, making it important to secure accounts and device.

Also Read: RBI Deputy Governor: Crypto & Stablecoins are Threat to Monetary Stability

Follow The Crypto Times on Google News to Stay Updated!