North Korean-linked hackers are using fake Zoom calls to drain crypto wallets in what security researchers say has become a near-daily threat to the cryptocurrency community. According to multiple security reports, the campaign has already netted roughly $300 million in stolen funds and shows few signs of slowing.
Fake Zoom Meetings Used To Drain Wallets
According to Security Alliance (SEAL) and other researchers, attackers first contact targets through messaging apps such as Telegram. They then invite victims to a video call that looks legitimate.
During the call, the impostors claim there is a problem with sound or video and offer a “fix” — a file or a link that appears to be an official update. When the victim runs the file, malware installs and begins stealing credentials, browser data, and crypto keys.
Several attacks are reported every day, and many follow the same pattern. Researchers say these staged calls let attackers bypass normal caution because people tend to trust someone they see on camera.
SEAL is tracking multiple DAILY attempts by North Korean actors utilizing “Fake Zoom” tactics for spreading malware as well as escalating their access to new victims.
Social engineering is at the root of the attack. Read the thread below for pointers on how to stay secure. https://t.co/2SQGdtPKGx
— Security Alliance (@_SEAL_Org) December 13, 2025
NimDoor, Other Malware Strains Target macOS And Wallets
Based on reports, one strain tied to these schemes is NimDoor, a macOS backdoor that can harvest keychain items, browser-stored passwords, and messaging data.
Security teams link NimDoor and related tools to BlueNoroff, a group connected to the Lazarus Group network. BlueNoroff has a long record of attacking crypto firms and exchanges.
Once the malware is in place, wallets have been emptied within minutes. Victims often discover the theft only after seeing outgoing transactions on the blockchain.
Deepfakes And Calendar Invites Make Scams More Convincing
Researchers warn that attackers are not simply using fake names. They are also deploying AI-assisted deepfake video and voice tools to impersonate executives or known contacts.
Attackers sometimes send calendar invites that look like genuine meeting requests from platforms such as Calendly, directing targets to attacker-controlled Zoom links.
The level of social engineering makes the calls seem urgent and official, which reduces the time victims take to question what they are being asked to install.
Attackers Target Individuals And Small Firms Alike
Reports have disclosed that victims include individual traders, startup employees, and small teams at crypto companies. Losses are concentrated but widespread, with estimates around $300,000,000.
Some victims have lost funds tied to browser wallets and hot wallets; others had recovery phrases captured and used to drain accounts.
Security teams urge quick action when a suspicious update is offered during a remote session: They warn not to run it, verify separately, and treat unsolicited meeting fixes as high risk.
Featured image from Unsplash, chart from TradingView
