North Korean cybercriminals have escalated a long-running social engineering campaign by exploiting trusted video platforms to breach crypto users and firms.
Security researchers say the tactic blends familiarity with urgency, making it harder for targets to detect.
The method relies on deception rather than technical exploits, which increases its success rate. As a result, the campaign continues to drain millions from victims worldwide.
Cybersecurity firm Security Alliance, also known as SEAL, said it has tracked multiple daily attempts linked to the operation.
The warning followed disclosures from MetaMask security researcher Taylor Monahan, who described the activity as a coordinated effort by DPRK-linked threat actors.
Monahan said the attackers had already stolen more than $300 million using the method. He added that the same group continued to compromise users through fake Zoom and fake Teams meetings.
How the fake zoom trap hijacks accounts and wallets
Monahan explained that the attack usually starts on Telegram. According to him, the attackers gain access to an existing account and then message every contact with prior chat history.
The messages appear routine and credible, which lowers suspicion. The impersonator then proposes a Zoom meeting and sends a Calendly link to formalize the call.
Once the meeting begins, victims see what looks like a normal group call. Monahan said the video feed shows familiar faces, but the footage is pre-recorded rather than a deepfake.
Shortly after, the attacker claims the audio does not work properly. The impersonator then shares a file in the chat, describing it as a Zoom or SDK patch.
Monahan said the file actually carries malware, often a Remote Access Trojan. Once installed, the malware begins extracting sensitive information. He noted that it targets internal security documents, stored passwords, and browser data.
In crypto-focused attacks, the malware also drains wallets completely. According to Monahan, some victims only realize the breach after funds disappear.
Lazarus group expands crypto-focused social engineering
Security researchers linked the fake Zoom campaign to North Korean hacking units, including the Lazarus Group.
These groups have a history of targeting crypto firms to generate revenue. In earlier campaigns, they posed as job recruiters and interviewers.
Those operations relied on fake applications and staged interviews to deliver malicious files.
Last month, the Lazarus Group carried out a major breach at South Korea’s largest exchange, Upbit, draining about $30.6 million in digital assets.
The incident was part of a broader strategy to exploit operational trust within the crypto sector.
The fake Zoom method reflects a shift toward real-time interaction rather than email-based lures.
SEAL said the latest attacks showed a high level of coordination and patience. The immediate action is if a suspicious file runs during a call. They said users should disconnect from WiFi and power off the device to stop further data exfiltration.
The warning comes as global crypto thefts reached $2.17 billion in stolen assets by mid-2025, underscoring the growing scale of the threat.