North Korean hackers steal $300 million through fake Zoom meetings

North Korean cybercriminals have implemented a strategic shift in their social engineering campaigns. They stole more than $300 million by impersonating trusted industry figures in fake video meetings.

Information security researcher Taylor Monahan of MetaMask, known as “Taifano”, has revealed that there is an elaborate fraudulent scheme based on “long-standing deceptions” aimed at managers of cryptocurrency companies.

Sponsored

Sponsored

How North Korea’s Fake Encounters Drain Cryptocurrency Wallets

Monahan said this campaign differs from recent attacks that rely on… Artificial Intelligence and Deepfake.

Rather, it is based on a simple method based on… Hacked Telegram accounts and using video footage recreated from actual interviews.

🚨 ATTENTION (NEW)

The DPRK threat actors have always caught too much of you via their fake Zoom/fake teams.

They take your Telegrams -> use them to rekt all your friends.

They stole over $300 million using this method.

Read this. Stop the cycle. 🙏 pic.twitter.com/tJTo9lkq0v

— Tay 💖 (@tayvano_) December 13, 2025

The attack usually begins after hackers hack into a trusted Telegram account, often belonging to an investor or someone who had previously met the victim at a conference.

Next, attackers leverage previous chat history to appear trustworthy, then direct the victim to a Zoom or Microsoft Teams video call through a hidden link.

When the meeting begins, the victim sees what appears to be live video from their contact. But in reality, it is often a re-recording of a podcast or public appearance.

Sponsored

Sponsored

The critical moment usually comes after a technical problem has been demonstrated.

After pointing out the audio or video problems, the attacker invites the victim to restore the connection by downloading a specific script or updating the software development kit, or SDK. The file being downloaded at this point contains the malicious payload.

Once installed, the malware—often a remote access program (RAT)—gives the attacker complete control.

It drains cryptocurrency wallets and transfers sensitive data, including internal security protocols and Telegram session codes, which are then used to target the next victims in the network.

After that, Monahan warned This method specifically Use professional courtesy as a weapon.

Hackers rely on the psychological pressure of a “business meeting” to push the victim into making the wrong decision, turning a routine help request into a disastrous security breach.

Industry participants must now consider any request to download software during a call as an indicator of an active attack.

At the same time, the “mock meeting” strategy is part of a broader attack Regions of the Democratic People’s Republic of Korea (DPRK). They stole almost $2 billion from this sector during the past year. Including the Bybit hack.