North Korean cybercriminals have made a strategic shift in their social engineering campaigns. They impersonated trusted industry officials in fake video conferences and stole over $300 million.
The alert, detailed by MetaMask security researcher Taylor Monaghan (also known as Taivano), outlines a sophisticated “long con” targeting crypto executives.
How North Korea’s fake talks are draining crypto wallets
Monaghan said the campaign builds on recent attacks that relied on AI deepfakes.
Instead, a more direct approach is used, built on looped footage from hijacked Telegram accounts and real interviews.
🚨 Warning (again)
North Korean threat actors are still accusing too many people through fake Zooms and fake Teams meetings.
They have hijacked your Telegram and are using it to send it to all your friends.
They have already stolen over $300 million using this method.
Please read this. Please stop the cycle. 🙏 pic.twitter.com/tJTo9lkq0v
— Tay💖 (@tayvano_) December 13, 2025
This attack typically begins after hackers gain control of a trusted Telegram account. This account often belongs to someone the venture capitalist or victim has previously met at a conference.
Malicious attackers then leverage previous chat history to appear legitimate and lure victims into a Zoom or Microsoft Teams video call via a spoofed Calendly link.
Once the meeting begins, the victim sees what appears to be a live video feed of the contact. In reality, they are often repurposed recordings of podcasts or public appearances.
Usually the decisive moment occurs after a technical problem is created.
After citing audio or video issues, the attacker prompts the victim to restore connectivity by downloading a specific script or updating the software development kit (SDK). The file delivered at that point contains a malicious payload.
Once malware, often a remote access Trojan (RAT), is installed, it gives the attacker complete control.
It is used to exfiltrate cryptocurrency wallets, steal sensitive data including internal security protocols and Telegram session tokens, and target the next victims within the network.
With this in mind, Monaghan warned that this particular vector weaponizes professional decorum.
Hackers rely on the psychological pressure of “business meetings” to force errors in judgment and turn routine troubleshooting requests into catastrophic security breaches.
For those in the industry, a request to download software during a call is now considered an active attack signal.
Meanwhile, this “fake meeting” strategy is part of a broader attack by officials of the Democratic People’s Republic of Korea (DPRK). They stole an estimated $2 billion from the sector over the past year, including the Bybit breach.
The post North Korean hackers steal $300 million in fake Zoom meetings appeared first on BeInCrypto.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
