North Korean Actors Use ‘Fake Zoom’ to Drain Crypto Wallets, $300M Stolen Already

North Korean cybercriminals are using ‘fake Zoom’ tactics to install malware, stealing victims’ sensitive data, including passwords and private keys. Cybersecurity firm Security Alliance (SEAL) warned that it has been tracking “multiple daily” such attempts.

SEAL is tracking multiple DAILY attempts by North Korean actors utilizing “Fake Zoom” tactics for spreading malware as well as escalating their access to new victims.

Social engineering is at the root of the attack. Read the thread below for pointers on how to stay secure. https://t.co/2SQGdtPKGx

— Security Alliance (@_SEAL_Org) December 13, 2025

The warning comes after MetaMask security researcher Taylor Monahan first outlined the sophisticated trap orchestrated by the DPRK threat actors.

“They’ve stolen over $300m via this method already,” Monahan wrote on X. “DPRK threat actors are still rekting way too many of you via their fake Zoom / fake Teams meets.”

Fake Zoom Modus Operandi – “They’re Taking Over Your Telegrams”

According to Monahan, the scam typically begins with a message from a Telegram account, appears to belong to someone the victim knows.

“They message everyone with prior conversation history,” he said.

The hacker, disguised as the “known person,” then guides the victim to a Zoom link via Calendly. Once the meeting starts, the victim sees a live video feed of their contact and other team members, which is a recorded video in reality, rather than deepfakes.

The hacker then complains about the lack of audio clarity, sending a “patch” file via chat and asking the victim to restore the clarity by updating a software development kit, or SDK. The file shared contains the malware payload.

The malware, often a Remote Access Trojan (RAT), if installed, will exfiltrate sensitive data, including internal security protocols, passwords, and drain crypto wallets completely.

North Korean Hackers’ Strategic Pivot in Social Engineering Campaigns

North Korean hackers, including the infamous Lazarus Group, have been previously linked to high-profile crypto thefts aimed at generating millions in revenue.

For instance, recently sophisticated North Korean hackers infiltrated crypto companies through elaborate job application schemes and fake interview processes.

Last month, the Lazarus Group orchestrated a major cryptocurrency breach that drained roughly $30.6 million from South Korea’s largest exchange, Upbit.

In the latest ‘fake Zoom’ call tactic, experts have warned users to immediately disconnect from WiFi and power off the device to halt malware activity.

⚠️ If you clicked…

– DISCONNECT WIFI

– TURN COMPUTER OFF

– DO NOT USE COMPUTER.

– ONLY USE PHONE/IPAD.

– Move funds out of your wallets to new/secure hardware or CEX accounts. Change all your passwords, AWS keys, etc.

– Wipe the computer completely before using it again. pic.twitter.com/C5NTGu4bsR

— Tay 💖 (@tayvano_) December 13, 2025

The latest attack comes at a time when global crypto thefts have reached $2.17 billion in stolen assets by mid-2025.