North Korean hackers use malicious Zoom calls to target crypto users on Telegram

North Korean hackers are increasingly using deceptive Zoom meetings to compromise victims and steal crypto assets, according to the cybersecurity nonprofit Security Alliance (SEAL).

These malicious Zoom meetings, which often target high-level crypto figures, have become a daily occurrence, the SEAL team warned in a recent X post.

“SEAL is tracking multiple DAILY attempts by North Korean actors utilizing ‘Fake Zoom’ tactics for spreading malware as well as escalating their access to new victims. Social engineering is at the root of the attack,” the group wrote.

In a separate post published the same day, cybersecurity researcher Taylor Monahan explained that this attack vector has already drained over $300 million from the wallets of unsuspecting users.

North Korean hackers use Zoom to push malicious script

The scam usually begins with bad actors reaching out through a Telegram account that belongs to someone the victim knows. 

Because the account is familiar, the victim is lulled into a false sense of trust and eventually drawn into a casual conversation that leads to a Zoom video call invitation.

Hackers then share a malicious link disguised to look like a standard Zoom invite. On that page, victims may see what appears to be their contact, along with supposed colleagues or partners. 

According to Monahan, these are not deepfakes but real videos recorded from earlier hacks or publicly available sources like podcasts.

Once the call begins, the hackers pretend to have audio problems and convince the victim that a patch is needed to resolve the issue. 

The victim is then sent a file to install, often named something like “Zoom Update SDK.scpt”, which executes malicious AppleScript code. In other cases, victims are asked to copy and paste a fix into their terminal.

“The ‘update’ is often a ‘Zoom Update SDK.scpt’ which opens or runs in AppleScript. There are a lot of blank spaces to hide the malicious code. In other cases you copy and paste the ‘fix.’ It says it’s successful. But it doesn’t resolve the issue. So you eventually reschedule,” Monahan explained.

What the victim does not realize is that the malware is already active as the malicious script silently infects the system and begins exfiltrating sensitive data, stealing passwords, browser-stored crypto wallets, and even full access to the user’s Telegram account.

How to prevent losses

As a post-incident measure, Monahan advises anyone who may have clicked on such a link or opened a suspicious file to immediately disconnect from WiFi and power down the affected device. 

Using a separate, uncompromised device, victims should transfer their crypto assets to new wallets, change all login credentials, and activate two-factor authentication wherever possible.

She also stressed the importance of locking down Telegram accounts, advising users to log in via a phone, go to settings, terminate all active sessions except the current one, change the password, and enable multifactor authentication.

Most critically, Monahan urged victims to alert their contacts right away, as the attackers often use access to Telegram accounts to identify and target the next round of victims.

” If they hack your telegram, you need to TELL EVERYONE ASAP. You are about [to] hack your friends. Please put your pride aside and SCREAM abt it,” she added.

A recurring attack vector

North Korean hackers, who are believed to be behind some of the largest crypto thefts in recent years, including the $1.5 billion Bybit hack, have increasingly used these malicious Zoom tactics to infiltrate high-profile targets throughout 2025.

One such case in September involved THORChain co-founder JP Thor, who reportedly lost around $1.3 million after falling for a similar scam. 

A malicious script triggered during the fake Zoom call accessed his iCloud storage, extracted his MetaMask wallet credentials, and drained funds, all without triggering any security prompts or admin warnings.

Beyond Zoom calls, these hackers have even employed other complex attack vectors, such as embedding malware directly within Ethereum and BNB smart contracts to stealthily siphon cryptocurrencies.

The post North Korean hackers use malicious Zoom calls to target crypto users on Telegram appeared first on Invezz