North Korean Hackers Steal $300M Through Fake Zoom Calls—Multiple DAILY Attacks Targeting Crypto Users

The most dangerous crypto threat of 2025 is happening right now, and it’s devastatingly simple. North Korean hackers have stolen over $300 million from cryptocurrency users through fake Zoom meetings—and Security Alliance (SEAL) is tracking MULTIPLE DAILY attempts currently targeting the crypto community. The sophisticated social engineering campaign hijacks Telegram accounts belonging to trusted contacts, uses pre-recorded video to impersonate them during “Zoom calls,” and tricks victims into downloading malware that instantly drains wallets, steals passwords, and compromises entire networks.

This isn’t theoretical—it’s active warfare. MetaMask security researcher Taylor Monahan warned December 13: “DPRK threat actors are still rekting way too many of you via their fake Zoom / fake Teams meets. They’re taking over your Telegrams → using them to rekt all your friends. They’ve stolen over $300m via this method already.” Notable victims include THORChain co-founder JP Thor, who lost $1.3 million in September after falling for the scam. The attack is part of North Korea’s broader $2 billion crypto theft campaign in 2025 alone, including the record-breaking $1.46 billion Bybit hack.

If you’ve clicked ANY link during a suspicious Zoom call: DISCONNECT WIFI IMMEDIATELY. POWER OFF YOUR DEVICE. DO NOT USE IT AGAIN. This is not hyperbole—the malware operates silently, giving hackers time to extract everything before you realize you’re compromised. Here’s how the scam works and how to protect yourself.

How the Scam Works: The 5-Step Attack

Step 1: Telegram Account Hijacking

Hackers first compromise a Telegram account belonging to someone you know—a VC, colleague, conference contact, or industry figure. They gain access through previous hacks, phishing, or exploiting weak security. Once inside, they access all message history, making impersonation seamless.

Step 2: The Trusted Message

You receive a Telegram message from this “trusted” account. The conversation feels legitimate because they reference prior discussions, mutual contacts, or recent events. They suggest a quick Zoom call to discuss a deal, partnership, or opportunity. Because it’s someone you know, you lower your guard.

Step 3: The Fake Zoom Link

Instead of sending a standard Zoom invite, they send a link disguised as Calendly or a custom meeting page. The URL looks professional. When you click it, you see what appears to be a Zoom meeting room with your contact and sometimes other “participants.”

Step 4: The “Audio Problem”

During the call, the video shows your contact (or a recording of them from podcasts/interviews), but they claim audio isn’t working. They suggest you download a “patch” or “update” to fix the issue. They share a link to what looks like Zoom troubleshooting software. This is the malware.

Step 5: Total Compromise

The moment you install the “patch,” it’s over. The Remote Access Trojan (RAT) malware:

• Drains all cryptocurrency wallets (MetaMask, Ledger software, exchange accounts)
• Steals every password (browsers, password managers, cloud accounts)
• Extracts Telegram session tokens (taking over YOUR account to target your contacts)
• Accesses company systems (internal protocols, security keys, admin access)
• Operates silently (no admin warnings, no security alerts)

Monahan warns: “Unfortunately, your computer is already compromised. They just play it cool to prevent detection. They will eventually take all your crypto. And your passwords. And your company/protocol’s shit. And your Telegram account. Then you will go on to rekt all your friends.”

Why It Works: Weaponized Trust

This attack succeeds because it exploits professional courtesy. In crypto, Zoom calls are routine for partnerships, investments, and collaborations. When someone you’ve previously met at a conference messages about a call, saying no feels rude. The psychological pressure of a “business meeting” forces quick decisions.

Additionally, the hackers use REAL VIDEO, not deepfakes. The footage comes from:

• Public podcasts and interviews
• Previously recorded Zoom calls
• Conference presentations
• YouTube videos

Because the video is authentic (just pre-recorded), it passes the “does this look real?” test that might catch AI-generated deepfakes.

Real Victims: $300M+ Stolen, Networks Compromised

JP Thor (THORChain Co-Founder): Lost approximately $1.3 million in September 2025. Hackers accessed his iCloud storage during a fake Zoom call, extracted MetaMask credentials, and drained funds without triggering security alerts.

Unnamed VCs and Executives: Monahan estimates “over $300 million” stolen via this method. Individual losses range from five figures to multimillion-dollar hits. Many victims haven’t disclosed losses publicly due to embarrassment or legal concerns.

The Chain Reaction: Every compromised victim becomes a weapon targeting their entire network. When your Telegram gets hijacked, hackers message everyone in your contact list using your conversation history, perpetuating the cycle.

What to Do If You’re Compromised: Emergency Actions

IF YOU CLICKED A SUSPICIOUS LINK DURING A ZOOM CALL:

Immediate (Next 60 Seconds):

1. DISCONNECT FROM WIFI (pull cable or disable WiFi)
2. POWER OFF DEVICE COMPLETELY (do not restart—turn off)
3. DO NOT USE THIS DEVICE until properly wiped

Using a Different Device (Phone/Tablet):

1. Move all crypto to NEW wallets (create fresh addresses, never reuse)
2. Change EVERY password (email, exchanges, cloud storage, banking)
3. Enable 2FA on all accounts (use hardware keys if possible)
4. Revoke ALL Telegram sessions:
   1. Open Telegram → Settings → Devices → End ALL other sessions
5. Reset AWS keys, GitHub tokens, API credentials
6. Alert your contacts that your Telegram was compromised

Before Using Compromised Device Again:

• Full system wipe (factory reset, clean OS install)
• Do NOT restore from backups (malware might persist)
• Scan with multiple antivirus tools before reconnecting

How to Protect Yourself: Prevention Strategies

Telegram Security:

Review Active Sessions:

• Telegram → Settings → Devices → Terminate unknown sessions weekly
• Enable “Show secret chats in the main chat list”
• Set up 2FA with recovery email

Meeting Verification:

Before ANY Zoom call:

1. Verify via SECOND CHANNEL (call their phone, send text, use different app)
2. NEVER download anything during live calls
3. Treat ANY “patch” or “fix” request as attack signal

General Practices:

• Use hardware wallets (Ledger, Trezor) for significant holdings
• Keep wallets offline except when actively transacting
• Maintain separate “hot” wallets for daily use vs. “cold” for storage
• Use password manager with 2FA (not browser-saved passwords)
• Assume every unexpected meeting link is malicious until proven otherwise

Why North Korea Is Winning

North Korea’s cyber warfare division has stolen an estimated:

• $2 billion in crypto in 2025 (as of December)
• $6+ billion since 2017 (cumulative)
• $1.46 billion from Bybit (February 2025, largest single theft)
• $308 million from DMM Bitcoin (May 2024, Japan)
• $30.4 million from Upbit (November 2025, South Korea)

These funds directly support North Korea’s nuclear weapons and ballistic missile programs. The regime employs thousands of hackers in dedicated units operating 24/7. They’ve evolved beyond technical exploits into psychological manipulation, recognizing that humans are the weakest link.

Conclusion: Every Zoom Call Is Now Suspect

The crypto industry must fundamentally rethink video call security. The “fake Zoom” attack demonstrates that even sophisticated users with security awareness fall victim when social engineering exploits professional norms. North Korean hackers have weaponized courtesy, turning routine business meetings into attack vectors.

New Security Rule: NEVER download ANYTHING during live video calls. No patches. No updates. No fixes. Zero exceptions.

If someone claims technical difficulties require software installation, politely end the call and verify through separate channels. No legitimate business opportunity is worth compromising your entire digital life.

For the crypto community, this represents existential threat. Every compromised user becomes propagation vector, spreading the attack through their networks. Breaking the cycle requires collective vigilance and immediate action when compromise is suspected.

The $300 million stolen so far is just the beginning if the community doesn’t adapt. North Korea isn’t slowing down—SEAL reports MULTIPLE DAILY attempts continuing as of December 15, 2025. Your next Zoom call could be the attack. Prepare accordingly.

Secure Your Crypto on MEXC:

While MEXC cannot protect against malware on your local devices, our platform employs multi-layer security including 2FA, withdrawal whitelists, and advanced monitoring. Never store all funds on any single platform—diversify across hardware wallets, cold storage, and trusted exchanges.

Disclaimer:This content is for educational and reference purposes only and does not constitute any investment advice. Digital asset investments carry high risk. Please evaluate carefully and assume full responsibility for your own decisions.