North Korean Hackers Just Stole $300M

North Korean Hackers Just Stole $300M Using Fake Zoom Calls and I'm Like "Wait, How Does a Video Call Steal My Crypto?"

By Cloudy12 | Crypto Hustle NG | 15 Dec 2025


woke up to warnings from security alliance north korean hackers stole 300+ MILLION using fake zoom meetings

genuinely confused. how does zoom call steal crypto?? i use zoom every day how is this possible

went down rabbit hole understand how scam works and honestly way scarier than thought

not using deepfakes or advanced AI. using something simpler more effective: hack your friends telegram message you real conversation history set up zoom call play looped video from podcasts fake audio issue trick you download malware steals EVERYTHING

worst part? doing this MULTIPLE TIMES EVERY DAY right now

whats happening (right now in real time)

security alliance SEAL issued urgent warning saturday dec 13th tracking MULTIPLE DAILY attempts north korean threat actors using fake zoom tactic. not theoretical happening right now real people

metamask security researcher taylor monahan (tayvano on X) broke down entire operation viral thread. estimates 300 million+ already stolen this method

attacks SO successful once compromise one person immediately use that persons telegram target everyone contacts. chain reaction. your friend hacked then YOU get message friends REAL account real conversation history suddenly youre next victim

SEAL calling campaign "elusive comet" tracking real time spreading through crypto community

how scam works step by step

step 1 - hijack telegram account

attack starts hackers taking control someones telegram. usually someone you know - friend colleague crypto conference person VC youve chatted

how get access? either previous attack (someone else fell for scam telegram hijacked) credential stuffing phishing. once have one account reach everyone contacts

step 2 - message with REAL history

makes it convincing. message doesnt come random stranger. comes someone you ACTUALLY know. hackers have access entire previous chat history

message might say "hey remember we talked that project last month? love catch up heres calendly link schedule time"

looks completely legit references REAL conversations

step 3 - calendly redirects fake zoom domain

click calendly thinking scheduling normal call. link redirects fake zoom domain attackers control

URL might look zoom-meet.com or zoommeet.co instead real zoom.us - clicking quickly (most people do) wont notice difference

step 4 - join meeting see real looking video

clever part - join call see video person supposed meeting. talking moving looking camera looks real

NOT live. LOOPED FOOTAGE from real podcast interview conference talk hackers found online. just playing recording repeat

taylor monahan says NOT using deepfakes AI generated. using actual recordings real people. WAY harder detect because video quality perfect person looks exactly themselves no weird AI artifacts

step 5 - fake audio issue

few minutes into call attackers claim audio problem "cant hear you can you hear me think somethings wrong audio"

send file zoom chat claiming "patch" "audio fix" "zoom SDK update" resolve issue

file called zoom_audio_fix.scpt or zoom_sdk_support.scpt or audio_patch.sh

step 6 - download run file

middle video call someone trust genuinely seems audio problem download file run it

moment everything goes wrong

step 7 - malware steals EVERYTHING

run file installs malware - remote access trojan RAT information stealer. immediately starts:

  • harvesting browser passwords
  • stealing crypto wallet private keys seed phrases
  • grabbing session tokens exchanges defi platforms
  • exfiltrating icloud keychain data mac
  • taking screenshots recording screen
  • establishing persistent remote access computer

within MINUTES entire crypto portfolio drained. every wallet every exchange everything

step 8 - hijack YOUR telegram attack friends

insidious part - access computer ALSO steal telegram credentials. use YOUR account message YOUR friends same scam

cycle repeats. friends see message YOU real conversation history zoom invite. chain reaction continues

numbers are terrifying

perspective:

  • 300 million+ stolen through this method
  • multiple DAILY attacks tracked by SEAL right now
  • north korea stole 1.34 billion crypto 2024 alone (61% all crypto stolen)
  • 1.5 billion bybit hack feb 2025 same group
  • 305 million DMM bitcoin breach 2024 started fake linkedin recruiter

not small time. STATE SPONSORED cyber warfare generating BILLIONS north korean regime

fake zoom just latest evolution. before doing fake linkedin job interviews. before that malicious crypto trading apps. keep adapting finding new ways exploit trust

why works (psychology)

thought about WHY so effective:

trust through familiarity - message from someone you know real history immediately lowers guard

social proof video - see person on video brain registers "real talking to them" - looped footage visual confirmation tricks you

time pressure technical issues - fake audio creates urgency "fix NOW continue conversation" - not analyzing file solving immediate problem

authority technical jargon - "download zoom SDK update" "run audio patch script" sounds official technical most people dont know SDK trust legit

"wont happen to me" bias - people think too smart fall scams "id never download random file" - but in moment video call someone trust dealing technical issue judgment clouded


how protect yourself CRITICAL SECTION

BEFORE zoom/teams call:

verify different channel - someone messages telegram zoom invite TEXT them CALL them directly (not telegram) confirm really them

check zoom URL carefully - look domain zoom.us or zoommeet.co? not official domain DONT JOIN

suspicious calendly redirects - calendly redirects zoom weird URL stop immediately

enable telegram session monitoring - settings devices check unfamiliar sessions terminate anything dont recognize

DURING zoom/teams:

NEVER download files during call - HARD RULE if someone asks download ANYTHING "fix audio" "update zoom" "install patch" STOP thats attack

question technical issues - audio problems suggest rescheduling instead downloading fixes real issues dont need custom patches

look looped behavior - persons video repetitive? same phrases over over? red flag

IF already clicked:

downloaded ran suspicious file ACT IMMEDIATELY:

  1. DISCONNECT WIFI INSTANTLY - dont think hesitate turn off wifi unplug ethernet RIGHT NOW stops malware exfiltrating communicating command servers
  2. POWER OFF DEVICE - completely shut down dont just close app
  3. USE DIFFERENT DEVICE - switch phone ipad not infected computer
  4. MOVE CRYPTO IMMEDIATELY - transfer ALL funds wallets accessible compromised device to NEW wallets secure hardware centralized exchange generate new seed phrases dont reuse ANYTHING
  5. CHANGE ALL PASSWORDS - every exchange wallet email cloud storage everything use different device
  6. REVOKE ALL SESSIONS - telegram discord twitter every platform terminate all sessions except current phone
  7. ALERT CONTACTS - message everyone immediately account compromised not click ANY links next 48 hours
  8. WIPE DEVICE - complete factory reset full OS reinstall before using computer again

general security:

hardware wallets - keep majority crypto hardware wallets not connected computer even computer compromised cant steal keys not on device

2FA everywhere - authenticator apps not SMS all exchanges wallets

keep work crypto separate - dont use same computer zoom calls managing large holdings

monitor telegram devices regularly - settings devices at least once week unfamiliar sessions someone has access

trust but verify - message seems from someone you know verify second channel before clicking joining

broader context why north korea doing

hacks arent just random cybercrime. STATE SPONSORED revenue generation

north korea faces international sanctions cut off traditional financial systems. turned crypto theft PRIMARY source foreign currency regime

FBI intelligence attributed attacks groups:

  • lazarus group
  • bluenoroff
  • tradertraitor (jade sleet UNC4899)
  • APT38

not independent hackers. UNITS within north koreas reconnaissance general bureau military intelligence agency

money stolen doesnt go individual hackers goes DIRECTLY funding north koreas weapons programs nuclear missile development

when 300 million stolen fake zoom calls not just crypto scam LITERALLY funding hostile nations military

why FBI CIA international law enforcement SO focused tracking disrupting


stuff still figuring out:

how scale effectively? multiple daily attacks personalized social engineering hijacked accounts real time interaction incredibly resource intensive how big operation

why arent zoom telegram doing more? zoom could flag executable files during calls telegram better device session alerts why not adding friction attack vectors

how much recoverable? crypto stolen gets laundered mixers dexs quickly ANY 300 million recovered or gone forever

legal consequences victims? unknowingly become node attack chain (telegram hijacked attack others) liable? legal gray area

whats next evolution? north korean hackers keep adapting fake exchanges fake job offers fake zoom whats next? AI powered real time deepfakes during calls? terrifying

look

north korean hackers stealing 300 million fake zoom might sound sci fi happening RIGHT NOW multiple times day real people crypto industry

attack terrifyingly simple: hijack telegram message real history looped video fake zoom fake audio download malware steal everything

then use YOUR account attack YOUR friends chain reaction spreading

ONLY defense awareness discipline:

  • never download files video calls
  • verify invitations second channel
  • monitor telegram sessions
  • keep crypto hardware wallets
  • slip up disconnect wifi immediately move funds

not hype not fearmongering SEAL tracking multiple daily attacks RIGHT NOW

if work crypto have holdings use telegram zoom (basically everyone) need know this

next message inviting "quick catch up call" might not actually be from friend

might be north korean military intelligence trying fund weapons program YOUR crypto

stay safe

received suspicious zoom invites? noticed weird telegram sessions? let me know. share this anyone crypto could literally save portfolio

How do you rate this article?

11


Cloudy12
Cloudy12

Nigerian student & aspiring techie. I just finished secondary school and now I’m diving deep into crypto, code, and motivation. I write to grow, share, and inspire others on the same journey.


Crypto Hustle NG
Crypto Hustle NG

Hey! I’m a Nigerian student passionate about crypto, online income, and personal growth. On this blog, I share what I’m learning — wins, mistakes, and all — to help others grow, earn, and stay inspired.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.