Crypto Firms Face Daily ‘Fake Zoom’ Attacks Linked To North Korea, Experts Say

bitcoinistPublished on 2025-12-16Last updated on 2025-12-16

North Korean-linked hackers are using fake Zoom calls to drain crypto wallets in what security researchers say has become a near-daily threat to the cryptocurrency community. According to multiple security reports, the campaign has already netted roughly $300 million in stolen funds and shows few signs of slowing.

Fake Zoom Meetings Used To Drain Wallets

According to Security Alliance (SEAL) and other researchers, attackers first contact targets through messaging apps such as Telegram. They then invite victims to a video call that looks legitimate.

During the call, the impostors claim there is a problem with sound or video and offer a “fix” — a file or a link that appears to be an official update. When the victim runs the file, malware installs and begins stealing credentials, browser data, and crypto keys.

Several attacks are reported every day, and many follow the same pattern. Researchers say these staged calls let attackers bypass normal caution because people tend to trust someone they see on camera.

NimDoor, Other Malware Strains Target macOS And Wallets

Based on reports, one strain tied to these schemes is NimDoor, a macOS backdoor that can harvest keychain items, browser-stored passwords, and messaging data.

Security teams link NimDoor and related tools to BlueNoroff, a group connected to the Lazarus Group network. BlueNoroff has a long record of attacking crypto firms and exchanges.

Once the malware is in place, wallets have been emptied within minutes. Victims often discover the theft only after seeing outgoing transactions on the blockchain.

Total crypto market cap currently at $2.93 trillion. Chart: TradingView

Deepfakes And Calendar Invites Make Scams More Convincing

Researchers warn that attackers are not simply using fake names. They are also deploying AI-assisted deepfake video and voice tools to impersonate executives or known contacts.

Attackers sometimes send calendar invites that look like genuine meeting requests from platforms such as Calendly, directing targets to attacker-controlled Zoom links.

The level of social engineering makes the calls seem urgent and official, which reduces the time victims take to question what they are being asked to install.

Attackers Target Individuals And Small Firms Alike

Reports have disclosed that victims include individual traders, startup employees, and small teams at crypto companies. Losses are concentrated but widespread, with estimates around $300,000,000.

Some victims have lost funds tied to browser wallets and hot wallets; others had recovery phrases captured and used to drain accounts.

Security teams urge quick action when a suspicious update is offered during a remote session: They warn not to run it, verify separately, and treat unsolicited meeting fixes as high risk.

Featured image from Unsplash, chart from TradingView

Related Reads

Valuation $1 Billion, Nvidia Doubles Down! Is Prime Intellect Washing Off Its Web3 Label?

Prime Intellect, a decentralized AI infrastructure company founded in 2024, recently announced a $130 million Series A funding round at a $1 billion valuation, with investments from NVIDIA, Intel, and Dell's venture arms. The company claims its annualized recurring revenue (ARR) has exceeded $100 million within a year, serving over 6,000 enterprise clients. Initially rooted in Web3 and decentralized science (DeSci), Prime Intellect has evolved into a full-stack AI training and deployment platform. Its core technology enables distributed training of large language models across globally dispersed, heterogeneous GPU clusters. Key milestones include releasing open-source models like INTELLECT-1 and INTELLECT-3, and launching Prime Intellect Lab, a platform allowing users to train and optimize agentic models without managing their own GPU infrastructure. The company's deep collaboration with hardware giants, particularly NVIDIA, extends beyond investment to joint optimization of software (e.g., integrating NVIDIA Dynamo) and hardware systems. A notable commercial case involves fintech company Ramp using Prime Lab to train a specialized agent, demonstrating the platform's applied value. While achieving rapid commercial growth, Prime Intellect has systematically downplayed its earlier Web3 and token-based incentives from its official documentation, repositioning itself as a mainstream AI infrastructure provider focused on enterprise adoption and potential IPO.

Foresight News12m ago

Valuation $1 Billion, Nvidia Doubles Down! Is Prime Intellect Washing Off Its Web3 Label?

Foresight News12m ago

After 13% Daily Distribution, Why Did SATA Still Fall?

Strive Asset Management's BTC-linked preferred stock SATA transitioned from monthly to daily dividend distributions on June 16, with a current annualized yield of 13%. Despite this change, SATA's price fell approximately 9.9% from June 22 to June 26. The analysis highlights that this decline reflects fundamental credit and structural risks, not simply dividend frequency. SATA represents a perpetual, cumulative preferred equity interest in Strive, not a direct Bitcoin-backed bond. Its dividends depend on Strive's corporate credit and access to capital markets. While Strive's Bitcoin holdings grew from 15,009 to 19,864 BTC between May 12 and June 18, SATA's outstanding shares grew faster (from ~4.96 million to ~7.83 million). Coupled with a drop in BTC price, the pure Bitcoin coverage ratio for SATA's stated amount fell from ~2.44x to ~1.52x. A further ~34.3% decline in BTC to ~$39,416 would bring this coverage to 1.0x. Daily dividends smooth cash flow for investors and reduce dividend-capture trading, but do not eliminate price volatility or credit risk. SATA now trades at a ~12.25% discount to its $100 stated amount, implying a market yield of ~14.81% and a credit spread of ~1,117 bps over SOFR. Key risks include a negative feedback loop if SATA trades below par, making new issuance dilutive; reliance on capital markets for dividend funding despite a ~17-month cash buffer; and the perpetual nature of the security, where dividends can be deferred. In summary, SATA innovates by providing daily income from a Bitcoin-focused corporate balance sheet, but its recent price action underscores its exposure to Bitcoin valuation, company-specific financing risks, and perpetual duration. The market is repricing it from a near-par yield product to a deeply discounted high-risk credit instrument.

marsbit40m ago

After 13% Daily Distribution, Why Did SATA Still Fall?

marsbit40m ago

Unlocking 20%, $125 Million in Pressure, Can PUMP Hold Up?

"Pump.fun Faces Crucial Test with $125M Token Unlock Despite a cooldown in the meme coin market, Pump.fun remains one of Web3's top revenue-generating protocols, earning $28.4 million in the past 30 days. The platform has accumulated approximately $1.05 billion in total revenue from over 12 million tokens created. The protocol now faces its biggest challenge: the first unlock of team and investor tokens. A total of 82.5 billion PUMP tokens (8.25% of total supply, 20.23% of previous circulating supply), valued at around $125 million, have been unlocked. This potential selling pressure is significant compared to the token's 24-hour trading volume of only $28 million. While Pump.fun uses a portion of its revenue to buy back and burn PUMP tokens, creating buy-side pressure, this support has weakened. The buyback rate was reduced from 100% to 50% of net fees in April 2024. In June 2024, monthly buybacks totaled just $9.2 million, an over 80% drop from its peak. At this rate, selling just 7% of the newly unlocked tokens would offset a full month of buybacks. Furthermore, this unlock is only the first batch; team and investors still hold another 247.5 billion locked PUMP tokens, with 240 billion community tokens awaiting a release schedule. Despite these headwinds, PUMP is argued to be a relatively scarce asset in the current market. With a $610 million market cap against $28.4 million in monthly revenue, its valuation is lower than competitors like Hyperliquid. The investment thesis for PUMP is not betting on a single meme coin but on the persistent activity of the meme market and Pump.fun's ability to maintain its position as a key platform. The conclusion suggests that while the unlock tests short-term price resilience, the protocol's underlying revenue strength will determine PUMP's long-term trajectory, potentially making the current dip a viable entry point for long-term accumulation."

Odaily星球日报52m ago

Unlocking 20%, $125 Million in Pressure, Can PUMP Hold Up?

Odaily星球日报52m ago

Aave Withdrawal, TVL Plunges: Where is MegaETH's Valuation Anchor?

MegaETH, once a highly anticipated new blockchain, has seen a dramatic decline in its Total Value Locked (TVL) and token price. According to DefiLlama data, its TVL plummeted nearly 60% in 24 hours, falling to just over $30 million from a May peak, with the Aave V3 protocol withdrawing 80% of its liquidity. The MEGA token price dropped to around $0.048, with a market cap of ~$54 million and a fully diluted valuation (FDV) of ~$480 million. The analysis identifies three key mismatches between MegaETH's valuation and its fundamentals. First, its high FDV contrasts with minimal real usage: low protocol revenue (~$90k/30 days) and few daily active addresses. Second, its DeFi narrative is contradicted by its revenue structure, where a collectible card game (Monster) generates most income, not major DeFi protocols like Aave. Third, initial hype from VC backing and airdrop farming has faded without sustained user adoption or clear applications. The TVL was heavily concentrated in Aave and largely driven by cyclical arbitrage strategies involving stablecoins like USDm and USDe. As the yield for these strategies diminished, funds rapidly exited. The departure of this speculative capital has exposed a lack of substantial, organic ecosystem activity. While the sharp drop could be seen as a correction from inflated expectations, the article suggests MegaETH's valuation lacks a solid foundation. Future price movements may rely on short-term market sentiment rather than genuine improvement in network fundamentals, such as increased real usage, a diversified application ecosystem, and consistent user growth. The situation reflects a broader market trend of demanding clearer value propositions beyond just high TVL figures.

marsbit1h ago

Aave Withdrawal, TVL Plunges: Where is MegaETH's Valuation Anchor?

marsbit1h ago

Trading

Spot
活动图片