I got a friend last week freaking out because he clicked what he thought was a Zoom call from a colleague. Turned out… it wasn’t Zoom at all. It was a trap. And right now, that trap is netting North Korean hackers millions in crypto.
Security researchers say DPRK-backed actors have already stolen over $300 million using this “fake Zoom” scam. The catch? It’s sneaky, it looks real, and it hits people where it hurts most—their wallets.
SEAL is tracking multiple DAILY attempts by North Korean actors utilizing “Fake Zoom” tactics for spreading malware as well as escalating their access to new victims.
— Security Alliance (@_SEAL_Org) December 13, 2025
Social engineering is at the root of the attack. Read the thread below for pointers on how to stay secure. https://t.co/2SQGdtPKGx
Here’s how it goes down:
- The Telegram Hook
You get a message from someone you know—or at least, it looks like them. Hackers clone prior conversation histories to seem legit. - The Fake Meeting
Next, they send a Zoom link (usually via Calendly). You join. On screen, you see video of your colleague and other team members. Looks totally normal. But it’s just a recorded video, not a real call. No deepfakes, just plain old trickery. - The Malware “Fix”
The fake host complains the audio is bad. They send a “patch” file or an SDK update to fix it. You install it… and boom. Malware is on your system. Often a Remote Access Trojan (RAT), which can grab passwords, internal files, and drain crypto wallets.
Taylor Monahan, a MetaMask security researcher, warns that these hackers are still wrecking people left and right. “They’ve stolen over $300m via this method already,” she said.
The malware EXFILTRATES EVERYTHING across Mac, Windows, and Linux.
— Tay 💖 (@tayvano_) December 13, 2025
– All your wallets
– Everything in password managers, Apple Notes, etc.
– Your Telegram history + session auth tokens
– Passwords, seed phrases, SSH keys, AWS creds
Full breakdown:https://t.co/Cawpj3uN8x
North Korean groups like the infamous Lazarus Group are no strangers to this. They’ve hit crypto companies before—job application scams, fake interviews, even major exchange hacks. Last month, Lazarus snatched $30.6 million from Upbit in South Korea.
The lesson? If something feels off—even if it looks real—disconnect immediately. Turn off WiFi, power down your device. Don’t let curiosity or FOMO cost you your crypto.
