North Korean Hackers Use ‘Fake Zoom’ Tactics To Steal $300M From Crypto Wallets
North Korean hackers are stealing from investors using “fake Zoom” tactics to extract their passwords and private keys, and have already drained $300 million from victims’ crypto wallets.
Cybersecurity firm Security Alliance (SEAL) warned on X that it has been tracking “multiple daily” such attempts by hackers.
MetaMask Security Researcher Sounds Alarm
The warning from SEAL comes after MetaMask security researcher Taylor Monahan first flagged the losses via a sophisticated trap.
“DPRK threat actors are still rekting way too many of you via their fake Zoom / fake Teams meets,” Monahan wrote. ”They’re taking over your Telegrams -> using them to rekt all your friends. They’ve stolen over $300m via this method already.”
According to the researcher, the scam usually starts with the attackers sending a Telegram message to victims. To avoid suspicion and get victims to lower their guard, the cybercriminals send the messages from accounts that look like they belong to someone the victim knows.
They also “message everyone with prior conversation history,” Monahan said.
The hacker then eventually guides the victim to a Zoom link using the scheduling app Calendly. Once the meeting starts, the victim sees a live video feed of their contact and other team members.
Cybercriminals have often turned to DeepFake technology to carry out their attacks. This technology allows them to create avatars that look like someone else, and can either be a celebrity or someone that the victims know.
However, with the latest attacks, the DPRK threat actors simply use pre-recorded meetings to trick victims during the Zoom call.
Once the victim has clicked on the link and joined the Zoom meeting, the attacker complains about a lack of audio clarity, and tells the victim to download a “patch” file that is sent via the in-call chat.
The other people in the video start to look confused and a bit annoyed, according to Monahan.
Example fake Zoom call (Source: X)
The attacker then says that the file will fix the audio clarity problem by updating a software development kit (SDK). This “update” is often named “Zoom Update SDK.scpt,” and runs in the AppleScript, the researcher noted.
That file contains malware, which is often a Remote Access Trojan (RAT). This allows the attacker to gain external access to the victim’s sensitive data, including internal security protocols and passwords. The malware will also eventually drain the victim’s crypto wallet completely.
“They will eventually take all your crypto,” Monahan wrote. After extracting the victim’s passwords, crypto, company/protocol information, and their Telegram account, the attackers go on to impersonate the victim in similar attacks against their friends.
Anyone who has clicked the link to download the “update” has been advised to disconnect their wifi, turn their computer off, and to not use the computer. While the computer is off, Monahan said that victims should then shift their crypto out of the compromised wallets using their phone or tablet.
The researcher also said that victims should change all of their passwords, and AWS keys.
“Wipe the computer completely before using it again,” Monahan said.
To gain control of their Telegram, the researcher said users should go into Telegram on their phone, click “settings,” then “devices,” and choose to “terminate all other sessions.”
Victims should then also change their Telegram password and add or update multi-factor authentication for extra security.
North Korean Hackers A Threat To Crypto Space In Recent Years
Hackers from North Korea have been linked to some of the biggest crypto hacks in the market’s history. One of the most notable hacking groups, the infamous Lazarus Group, has generated billions of dollars in revenue through a series of high-profile hacks.
Just last month, the Lazarus Group orchestrated a major crypto breach that drained approximately $30.6 million from Upbit, South Korea’s largest crypto exchange.
North Korean hackers have also started infiltrating crypto companies through elaborate job application schemes and fake interview processes.
Related Articles:
About Author
About Author
