A cybersecurity organization, Security Alliance (SEAL), is monitoring numerous daily threats from North Korean-linked hackers employing deceptive ("fake Zoom") or ("fake Teams") meetings to spread malware and exploit new victims.

The non-profit entity has shared a comprehensive warning by security researcher Taylor Monahan, detailing how these attacks develop and the extensive financial losses that ensue.

Fake Zoom Calls, Real Financial Damage

Monahan states that the scam initiates with a message from a compromised Telegram account belonging to an individual the victim is familiar with. These messages typically retain historical conversations, making them less suspicious. This entices victims to reconnect via a video call facilitated through a shared link.

During these calls, victims are presented with what appear to be legitimate participants, using genuine recordings obtained from earlier hacked accounts or publicly available material, instead of deepfakes. The attackers then cite technical difficulties and instruct the target to apply an update or fix.

The provided file or command, typically masquerading as a Zoom software development kit (SDK) update, installs malware that can stealthily compromise devices on Mac, Windows, and Linux platforms. This breach allows the attackers to siphon off cryptocurrency wallets, passwords, private keys, seed phrases, cloud credentials, and Telegram session tokens.

Monahan highlighted that over $300 million has already been misappropriated using this approach, with attackers often postponing further communication to evade detection after the initial compromise. SEAL pointed out that social engineering is pivotal to this scheme, emphasizing that victims are often reassured when they express concerns and are urged to act swiftly to avoid wasting the supposed contact’s time.

Monahan cautioned that once a device is compromised, attackers gain access to the victim’s Telegram account, enabling them to message contacts and perpetuate the scam, creating a domino effect throughout professional and social networks.

Warnings from Sector Leaders

In the previous year, several platforms have identified phishing campaigns utilizing fake Zoom meeting links to pilfer millions in cryptocurrency. Changpeng (CZ) Zhao, founder of Binance, warned about the surge of AI deepfake scams after influencer Mai Fujimoto fell victim during a bogus Zoom conference. Attackers employed deepfake impersonation and a malicious link to install malware, which breached her Telegram, MetaMask, and X accounts.

Gracy Chen, CEO of Bitget, also cautioned about an escalating surge of phishing attacks that rely on fabricated Zoom and Microsoft Teams meeting invites to target crypto professionals. Last week, Chen reported that attackers position themselves as credible meeting organizers, frequently reaching out to victims via Telegram or counterfeit Calendly links.

Recommendations for Victims

Monahan advised anyone who may have engaged with a dubious link to disconnect from the internet immediately, turn off the affected device, and refrain from utilizing it. They should protect funds using a different device, update passwords and credentials, and completely wipe the compromised computer before reusing it. Additionally, they stressed the importance of securing Telegram by terminating all other sessions using a phone, updating passwords, and enabling multifactor authentication to halt any further spread.