North Korean hackers forge Zoom meetings to steal crypto assets, with total losses exceeding $300 million

Cybersecurity agencies have disclosed that North Korean cybercriminals are conducting social engineering attacks through “fake Zoom / fake Teams meetings,” extensively stealing cryptocurrency wallet assets, with total losses exceeding $300 million. Security firm Security Alliance (SEAL) stated that almost daily, multiple related attack incidents are being tracked, and industry practitioners and active users in the crypto space have become key targets.

This attack method was first revealed by MetaMask security researcher Taylor Monahan. She pointed out that North Korean hackers use highly realistic online meeting scenarios to continuously deceive victims into installing malicious software, directly obtaining private keys, passwords, and internal security information, and quickly draining crypto wallets.

From the attack process, it usually begins in Telegram groups. Hackers impersonate “people the victim knows,” sending messages to their contacts and using common tools like Calendly to send Zoom meeting invitations. After the meeting starts, victims see video feeds of “familiar people” and “team members,” but in reality, these are pre-recorded real videos, not simple deepfakes.

During the call, hackers will claim “audio anomalies” or “poor meeting quality” to persuade victims to download so-called patch files or SDK update packages. These files are malicious programs, typically remote access Trojans (RAT). Once installed, attackers can remotely control the device, steal login credentials, private key information, and swiftly transfer funds from the crypto wallets.

Security experts point out that this marks an upgrade in the strategy of North Korean hackers in crypto crimes. Previously, hacking groups like the notorious Lazarus Group relied more on exchange attacks, phishing websites, or fake job postings for infiltration. Recently, they have clearly shifted toward higher success rate “high-trust social engineering attacks.”

Not long ago, Lazarus Group was also accused of planning an attack on South Korea’s largest cryptocurrency exchange, resulting in losses of approximately $30.6 million. Multiple sources indicate that the global scale of crypto theft is expected to reach $2.17 billion by mid-2025, with personal wallets becoming the most vulnerable link.

Industry insiders warn that if asked to download patches or tools during video meetings, participants should immediately terminate the meeting, disconnect from the network, and turn off their devices, while transferring assets and conducting security checks on wallets to reduce potential losses.