SEAL Warns of Daily Fake Zoom Attacks as DPRK Hackers Weaponize Familiar Faces

A fake Zoom “update” is all it takes for hackers to seize crypto funds, cloud credentials, and entire Telegram accounts.

Cybersecurity firm, Security Alliance (SEAL), said it is tracking multiple daily attempts by North Korean-linked threat actors using so-called “fake Zoom” or “fake Teams” meetings to distribute malware and expand access to new victims.

The non-profit reshared a detailed warning from security researcher Taylor Monahan outlining how the attacks unfold and the scale of losses involved.

Fake Zoom Calls, Real Losses

Monahan said the campaign begins with a message from a compromised Telegram account belonging to someone the victim already knows. These often have prior conversation history intact, which lowers suspicion and leads to an invitation to reconnect via a video call scheduled through a shared link.

During the call, victims are shown what appear to be legitimate participants, using real recordings sourced from previously hacked accounts or public material rather than deepfakes, before attackers claim technical issues and instruct targets to apply an update or fix.

The file or command provided, usually disguised as a Zoom software development kit (SDK) update, installs malware that quietly compromises the device across Mac, Windows, and Linux systems. This allows attackers to exfiltrate cryptocurrency wallets, passwords, private keys, seed phrases, cloud credentials, and Telegram session tokens.

She said more than $300 million has already been stolen using the method, and attackers often delay further contact to avoid detection after the initial infection. SEAL said social engineering is central to the campaign, while adding that victims are reassured repeatedly when they express concern and are encouraged to proceed quickly to avoid wasting the apparent contact’s time.

Monahan warned that once a device is compromised, attackers take control of the victim’s Telegram account and use it to message contacts and repeat the scam. This creates a cascading effect through professional and social networks.

You may also like:

The researcher urged anyone who has clicked a suspicious link to immediately disconnect from the internet, turn off the affected device, and avoid using it, secure funds using another device, change passwords and credentials, and completely wipe the compromised computer before reuse. She also stressed the need to secure Telegram by terminating all other sessions from a phone, updating passwords, and enabling multifactor authentication to prevent further spread.

Lazarus-Style Tactics

In the past year, several platforms have flagged phishing campaigns using fake Zoom meeting links to steal millions in cryptocurrency. Binance founder Changpeng “CZ” Zhao warned about rising AI deepfake scams after crypto influencer Mai Fujimoto was hacked during a fake Zoom call. Attackers used a deepfake impersonation and a malicious link to install malware, which compromised her Telegram, MetaMask, and X accounts.

Bitget CEO Gracy Chen also warned of a growing wave of phishing attacks using fake Zoom and Microsoft Teams meeting invitations to target crypto professionals. Last week, Chen said attackers pose as legitimate meeting hosts, often contacting victims via Telegram or fake Calendly links.

During the call, they claim audio or connection issues and urge targets to download a supposed network update or SDK, which is actually malware designed to steal passwords and private keys. Chen said the tactic mirrors methods used by the Lazarus group and explained that scammers have impersonated Bitget representatives.