Cybersecurity nonprofit Security Alliance (SEAL) says North Korean hackers are now launching multiple scam attempts each day using fake Zoom meetings.
In the scheme, victims are lured into joining a counterfeit Zoom call and prompted to download malware, giving attackers access to sensitive information such as passwords and private keys. Security researcher Taylor Monahan warned the tactic has already drained more than $300 million from users.
How the fake Zoom call scam works
According to Monahan, the scam begins with a message from a Telegram account belonging to someone the victim already knows, creating a false sense of trust. The conversation eventually leads to an invitation to catch up over Zoom.
Before the call, the scammers share a link that appears legitimate. Once inside, victims can see the familiar person along with supposed partners or colleagues. Monahan noted that these videos are not deepfakes, as widely claimed, but real footage taken from past hacks or publicly available sources such as podcasts.
When the call starts, the attackers pretend there are audio problems and send the victim a “patch” file to fix the issue. Opening the file installs malware on the device. The scammers then abruptly end the call, claiming they will reschedule for another time.
“Unfortunately, your computer is already compromised. They just play it cool to prevent detection. They will eventually take all your crypto. And your passwords. And your company/protocol’s shit. And your Telegram account. Then you will go on to rekt all your friends.”
Here’s what to do if you’ve clicked the malware link
Monahan advises anyone who may have clicked a link during a suspicious Zoom call to immediately disconnect from Wi-Fi and power down the affected device.
Using a separate, clean device, victims should transfer any crypto holdings to new wallets, change all passwords, enable two-factor authentication wherever possible, and perform a complete memory wipe of the compromised device before using it again.
She also emphasized that securing Telegram accounts is “critical.” Users should open Telegram on their phone, go to Settings → Devices, terminate all other active sessions, change their password, and add or update multifactor authentication.
According to Monahan, attackers are hijacking Telegram accounts and exploiting stored contacts to identify and target new victims.
“Lastly, if they hack your telegram, you need to TELL EVERYONE ASAP. You are about hack your friends. Please put your pride aside and SCREAM about it.”
