Cybersecurity experts have issued urgent warnings about a sophisticated social engineering campaign orchestrated by North Korean state-sponsored hackers, which has already resulted in the theft of over $300 million in cryptocurrency. The attack vector, dubbed the 'Fake Zoom' or 'Fake Teams' tactic, represents a strategic pivot in the hackers' methods, moving away from AI deepfakes to exploit hijacked communication channels and professional courtesy.
According to detailed analysis from MetaMask security researcher Taylor Monahan (Tayvano) and tracking by the Security Alliance (SEAL), the attacks are occurring "multiple daily." The scheme begins with hackers taking control of a victim's Telegram account, often belonging to a venture capitalist or someone known in the industry. Using the prior conversation history to appear legitimate, the attacker then lures the victim to a video call via a disguised Calendly link for Zoom or Microsoft Teams.
"They've stolen over $300m via this method already," Monahan wrote on X. "DPRK threat actors are still rekting way too many of you via their fake Zoom / fake Teams meets."
During the call, the victim sees what appears to be a live video feed of their contact, which is actually a pre-recorded loop from a public interview or podcast. The attacker then manufactures a technical issue, such as poor audio, and instructs the victim to download a "patch" file or update a software development kit (SDK) to fix it. This file contains the malware payload, typically a Remote Access Trojan (RAT).
Once installed, the malware grants the attackers complete control, enabling them to exfiltrate sensitive data—including passwords, private keys, and internal security protocols—and drain cryptocurrency wallets completely. The stolen Telegram session tokens are then used to propagate the attack to the victim's contacts, creating a vicious cycle.
This campaign is attributed to North Korean hacking groups, including the infamous Lazarus Group, which has been linked to high-profile thefts such as the recent $30.6 million breach of South Korea's Upbit exchange. Experts warn that the tactic weaponizes the pressure of a professional business meeting to bypass security judgment. The warning comes amid a staggering rise in crypto thefts, with global losses reaching $2.17 billion by mid-2025.
Security recommendations are extreme: if targeted, users should immediately disconnect from WiFi, power off the device, move funds to new secure wallets or centralized exchanges (CEX), change all passwords and keys, and perform a complete wipe of the infected computer before any further use.
