Synopsis: North Korean hackers use hijacked Telegram accounts and fake Zoom calls to deploy malware, stealing over $300 million in cryptocurrency from professionals daily.
North Korean hackers have sharply escalated their cryptocurrency theft campaigns, turning fake Zoom meetings into a daily danger. The Security Alliance (SEAL), a cybersecurity nonprofit, reports detecting multiple such attacks every day. According to security researcher Taylor Monahan, these scams have already siphoned more than $300 million from victims worldwide.
Unlike traditional hacks, these attacks rely on trust rather than technical complexity. Hackers hijack Telegram accounts of known contacts and use them to lure victims into fraudulent video calls. Once the victim joins, malware is deployed to steal passwords, private keys, and entire crypto wallets. SEAL warns that nearly every crypto professional now faces potential exposure.
Hackers Exploit Trusted Telegram Contacts
The scheme begins when attackers compromise a Telegram account belonging to a colleague, investor, or industry contact. From there, the scam spreads rapidly through professional networks.
Victims receive casual, familiar messages that closely mimic the real person’s tone and style. The conversation then shifts to scheduling a quick Zoom call. Because the request appears routine, defenses drop almost instantly.
Monahan explains that attackers share links that look completely legitimate. The video feed shows real footage of the person, not deepfakes. “These videos are not deepfakes, as widely reported,” she notes. “They are real recordings from when someone was hacked or from public sources.”
Fake Audio Issues Trigger the Malware
Once the Zoom call begins, victims typically see looped footage of someone nodding or appearing distracted. Soon after, the attacker claims there is an audio issue. They then suggest downloading a small patch to fix the problem, presenting it as a common Zoom glitch. In a professional setting, many victims comply without hesitation.
That file, however, contains malware. Once installed, it gives attackers full control of the device. The malware steals private keys, wallet credentials, browser data, and active Telegram sessions. The call then ends casually to avoid raising suspicion.
“They play it cool to prevent detection,” Monahan warns. “They will eventually take all your crypto and your passwords.” The stolen Telegram access is then used to target the victim’s entire contact list.
What to Do If You Clicked a Suspicious Link
Anyone who downloaded files during a suspicious Zoom call must act immediately. First, disconnect from Wi-Fi and power off the device to stop further spread. Next, use a clean device to move funds to new wallets and change all passwords. Enable two-factor authentication across all accounts.
Telegram needs urgent attention. Open the app, go to Settings → Devices, and terminate all other sessions. Change your password and update multi-factor authentication. Monahan strongly advises a full memory wipe of infected devices. Only reuse them after a complete reinstall. “You need to tell everyone immediately,” she stresses. “Put your pride aside and warn others.”
Why the Threat Keeps Growing
The scam works because it exploits professional courtesy. People hesitate to question routine troubleshooting during meetings. Even experienced crypto users who avoid basic phishing fall victim to trusted-contact impersonation. North Korean hacking groups have refined their tactics. While earlier campaigns used deepfakes and complex exploits, this simpler method is harder to spot and highly effective.
Security experts recommend verifying meeting requests through separate channels. Confirm invites directly on another platform before joining. Never download fixes or run unknown files during calls. Using hardware wallets for large holdings is also critical. Avoid storing private keys on internet-connected devices and lock down Zoom settings to limit permissions.
The reported $300 million in losses may only be a fraction of the real damage. Many victims remain unaware their systems are compromised, allowing hackers to drain wallets later. SEAL continues to track these daily attacks across the crypto industry, particularly targeting Web3 employees and executives. Vigilance is essential as these groups continue to adapt. Reporting suspicious activity quickly can help prevent the next major loss.
Written By Fazal Ul Vahab C H
