woke up to warnings from security alliance north korean hackers stole 300+ MILLION using fake zoom meetings
genuinely confused. how does zoom call steal crypto?? i use zoom every day how is this possible
went down rabbit hole understand how scam works and honestly way scarier than thought
not using deepfakes or advanced AI. using something simpler more effective: hack your friends telegram message you real conversation history set up zoom call play looped video from podcasts fake audio issue trick you download malware steals EVERYTHING
worst part? doing this MULTIPLE TIMES EVERY DAY right now
whats happening (right now in real time)
security alliance SEAL issued urgent warning saturday dec 13th tracking MULTIPLE DAILY attempts north korean threat actors using fake zoom tactic. not theoretical happening right now real people
metamask security researcher taylor monahan (tayvano on X) broke down entire operation viral thread. estimates 300 million+ already stolen this method
attacks SO successful once compromise one person immediately use that persons telegram target everyone contacts. chain reaction. your friend hacked then YOU get message friends REAL account real conversation history suddenly youre next victim
SEAL calling campaign "elusive comet" tracking real time spreading through crypto community
how scam works step by step
step 1 - hijack telegram account
attack starts hackers taking control someones telegram. usually someone you know - friend colleague crypto conference person VC youve chatted
how get access? either previous attack (someone else fell for scam telegram hijacked) credential stuffing phishing. once have one account reach everyone contacts
step 2 - message with REAL history
makes it convincing. message doesnt come random stranger. comes someone you ACTUALLY know. hackers have access entire previous chat history
message might say "hey remember we talked that project last month? love catch up heres calendly link schedule time"
looks completely legit references REAL conversations
step 3 - calendly redirects fake zoom domain
click calendly thinking scheduling normal call. link redirects fake zoom domain attackers control
URL might look zoom-meet.com or zoommeet.co instead real zoom.us - clicking quickly (most people do) wont notice difference
step 4 - join meeting see real looking video
clever part - join call see video person supposed meeting. talking moving looking camera looks real
NOT live. LOOPED FOOTAGE from real podcast interview conference talk hackers found online. just playing recording repeat
taylor monahan says NOT using deepfakes AI generated. using actual recordings real people. WAY harder detect because video quality perfect person looks exactly themselves no weird AI artifacts
step 5 - fake audio issue
few minutes into call attackers claim audio problem "cant hear you can you hear me think somethings wrong audio"
send file zoom chat claiming "patch" "audio fix" "zoom SDK update" resolve issue
file called zoom_audio_fix.scpt or zoom_sdk_support.scpt or audio_patch.sh
step 6 - download run file
middle video call someone trust genuinely seems audio problem download file run it
moment everything goes wrong
step 7 - malware steals EVERYTHING
run file installs malware - remote access trojan RAT information stealer. immediately starts:
- harvesting browser passwords
- stealing crypto wallet private keys seed phrases
- grabbing session tokens exchanges defi platforms
- exfiltrating icloud keychain data mac
- taking screenshots recording screen
- establishing persistent remote access computer
within MINUTES entire crypto portfolio drained. every wallet every exchange everything
step 8 - hijack YOUR telegram attack friends
insidious part - access computer ALSO steal telegram credentials. use YOUR account message YOUR friends same scam
cycle repeats. friends see message YOU real conversation history zoom invite. chain reaction continues
numbers are terrifying
perspective:
- 300 million+ stolen through this method
- multiple DAILY attacks tracked by SEAL right now
- north korea stole 1.34 billion crypto 2024 alone (61% all crypto stolen)
- 1.5 billion bybit hack feb 2025 same group
- 305 million DMM bitcoin breach 2024 started fake linkedin recruiter
not small time. STATE SPONSORED cyber warfare generating BILLIONS north korean regime
fake zoom just latest evolution. before doing fake linkedin job interviews. before that malicious crypto trading apps. keep adapting finding new ways exploit trust
why works (psychology)
thought about WHY so effective:
trust through familiarity - message from someone you know real history immediately lowers guard
social proof video - see person on video brain registers "real talking to them" - looped footage visual confirmation tricks you
time pressure technical issues - fake audio creates urgency "fix NOW continue conversation" - not analyzing file solving immediate problem
authority technical jargon - "download zoom SDK update" "run audio patch script" sounds official technical most people dont know SDK trust legit
"wont happen to me" bias - people think too smart fall scams "id never download random file" - but in moment video call someone trust dealing technical issue judgment clouded
how protect yourself CRITICAL SECTION
BEFORE zoom/teams call:
verify different channel - someone messages telegram zoom invite TEXT them CALL them directly (not telegram) confirm really them
check zoom URL carefully - look domain zoom.us or zoommeet.co? not official domain DONT JOIN
suspicious calendly redirects - calendly redirects zoom weird URL stop immediately
enable telegram session monitoring - settings devices check unfamiliar sessions terminate anything dont recognize
DURING zoom/teams:
NEVER download files during call - HARD RULE if someone asks download ANYTHING "fix audio" "update zoom" "install patch" STOP thats attack
question technical issues - audio problems suggest rescheduling instead downloading fixes real issues dont need custom patches
look looped behavior - persons video repetitive? same phrases over over? red flag
IF already clicked:
downloaded ran suspicious file ACT IMMEDIATELY:
- DISCONNECT WIFI INSTANTLY - dont think hesitate turn off wifi unplug ethernet RIGHT NOW stops malware exfiltrating communicating command servers
- POWER OFF DEVICE - completely shut down dont just close app
- USE DIFFERENT DEVICE - switch phone ipad not infected computer
- MOVE CRYPTO IMMEDIATELY - transfer ALL funds wallets accessible compromised device to NEW wallets secure hardware centralized exchange generate new seed phrases dont reuse ANYTHING
- CHANGE ALL PASSWORDS - every exchange wallet email cloud storage everything use different device
- REVOKE ALL SESSIONS - telegram discord twitter every platform terminate all sessions except current phone
- ALERT CONTACTS - message everyone immediately account compromised not click ANY links next 48 hours
- WIPE DEVICE - complete factory reset full OS reinstall before using computer again
general security:
hardware wallets - keep majority crypto hardware wallets not connected computer even computer compromised cant steal keys not on device
2FA everywhere - authenticator apps not SMS all exchanges wallets
keep work crypto separate - dont use same computer zoom calls managing large holdings
monitor telegram devices regularly - settings devices at least once week unfamiliar sessions someone has access
trust but verify - message seems from someone you know verify second channel before clicking joining
broader context why north korea doing
hacks arent just random cybercrime. STATE SPONSORED revenue generation
north korea faces international sanctions cut off traditional financial systems. turned crypto theft PRIMARY source foreign currency regime
FBI intelligence attributed attacks groups:
- lazarus group
- bluenoroff
- tradertraitor (jade sleet UNC4899)
- APT38
not independent hackers. UNITS within north koreas reconnaissance general bureau military intelligence agency
money stolen doesnt go individual hackers goes DIRECTLY funding north koreas weapons programs nuclear missile development
when 300 million stolen fake zoom calls not just crypto scam LITERALLY funding hostile nations military
why FBI CIA international law enforcement SO focused tracking disrupting
stuff still figuring out:
how scale effectively? multiple daily attacks personalized social engineering hijacked accounts real time interaction incredibly resource intensive how big operation
why arent zoom telegram doing more? zoom could flag executable files during calls telegram better device session alerts why not adding friction attack vectors
how much recoverable? crypto stolen gets laundered mixers dexs quickly ANY 300 million recovered or gone forever
legal consequences victims? unknowingly become node attack chain (telegram hijacked attack others) liable? legal gray area
whats next evolution? north korean hackers keep adapting fake exchanges fake job offers fake zoom whats next? AI powered real time deepfakes during calls? terrifying
look
north korean hackers stealing 300 million fake zoom might sound sci fi happening RIGHT NOW multiple times day real people crypto industry
attack terrifyingly simple: hijack telegram message real history looped video fake zoom fake audio download malware steal everything
then use YOUR account attack YOUR friends chain reaction spreading
ONLY defense awareness discipline:
- never download files video calls
- verify invitations second channel
- monitor telegram sessions
- keep crypto hardware wallets
- slip up disconnect wifi immediately move funds
not hype not fearmongering SEAL tracking multiple daily attacks RIGHT NOW
if work crypto have holdings use telegram zoom (basically everyone) need know this
next message inviting "quick catch up call" might not actually be from friend
might be north korean military intelligence trying fund weapons program YOUR crypto
stay safe
received suspicious zoom invites? noticed weird telegram sessions? let me know. share this anyone crypto could literally save portfolio