Cybersecurity researchers are warning that North Korea–linked threat actors are continuing to steal hundreds of millions of dollars through a highly effective social-engineering campaign involving fake Zoom and Microsoft Teams meetings.
According to security firm SEAL, the attackers have already stolen more than $300 million using a method commonly referred to as the “Fake Zoom” scam.
The attack typically begins with a compromised Telegram account of someone the victim already knows, such as a former conference contact, venture capitalist, or business development professional.
Using existing chat history, attackers restart conversations and suggest catching up on a call. Victims are then sent a Calendly link to schedule a meeting, which appears legitimate and does not immediately raise suspicion.
Shortly before the call, the attackers share a meeting link that looks like Zoom or Teams but directs users to a malicious site.
During the call, victims often see real video footage of the impersonated individual or their colleagues. These are not deepfakes, researchers say, but recordings taken from podcasts, past meetings, or earlier compromises.
When audio or video issues occur, the attacker reassures the victim via Telegram and instructs them to “update” Zoom or install a software fix.
The update is usually a malicious file, often disguised as a Zoom SDK update, that executes malware via AppleScript or similar methods.
In some cases, victims are asked to copy and paste commands that silently compromise their system.
Once infected, the malware can exfiltrate wallets, passwords, seed phrases, Telegram session tokens, SSH keys, cloud credentials, and sensitive company data across Mac, Windows, and Linux systems.
Attackers often delay further action to avoid detection before draining funds and hijacking additional accounts.
SEAL reports seeing multiple daily attempts linked to North Korean threat groups. Experts stress that the attacks rely primarily on social engineering, not technical exploits, making even experienced professionals vulnerable.
Security teams urge users to avoid installing updates shared via chat apps and to verify meeting links through official channels before joining calls.