$300M in Crypto Lost to Zoom Malware Scams, Security Alliance Reports

Cybersecurity experts are warning cryptocurrency users about a rapidly escalating social-engineering threat.

According to the Security Alliance (SEAL), North Korean hackers are increasingly using fake Zoom meetings to distribute malware and steal digital assets. The nonprofit says it is now tracking several such scam attempts every day. These operations are highly targeted and designed to exploit trust within professional and social networks.

Rising Losses Trigger Alarm

SEAL researcher Taylor Monahan said the scale of the damage is already significant. She estimates that more than $300 million has been stolen through this tactic so far. 

The scale of the losses underscores how quickly the scheme has evolved. As crypto adoption expands, attackers are shifting away from purely technical exploits and instead refining methods that rely on human trust and familiarity.

How the Scam Unfolds on Zoom

According to Monahan, the attack typically begins on Telegram. Victims receive messages from accounts that appear to belong to people they already know, lowering suspicion and encouraging conversation.

Over time, the exchange naturally moves toward reconnecting on a Zoom call. Shortly before the meeting, the attacker shares a link that appears legitimate and does not immediately raise red flags.

Once the call begins, the setup looks convincing. Victims often see familiar faces, sometimes joined by what appear to be colleagues or business partners.

Monahan emphasized that these visuals are not created using artificial intelligence or deepfake technology. Instead, hackers rely on real video footage taken from prior hacks or publicly available recordings, such as podcasts.

After a brief interaction, the attackers claim there are audio problems. To resolve the issue, they send a file described as a routine software patch or update.

Opening the file installs malware on the victim’s device. The attackers then end the call calmly, often suggesting they reconnect at a later time.

What Hackers Gain After Infection

Although the interaction ends quietly, the compromise is already underway. Once the malware is active, attackers gain broad access to the system.

Monahan said this can include passwords, private keys, and cryptocurrency wallets, as well as sensitive company data and internal tools.

Telegram accounts are a primary target. After taking control, attackers review stored contacts and impersonate the victim to approach new targets, allowing the scam to spread rapidly through trusted networks.

Urgent Steps After Clicking a Malicious Link

Monahan stressed that speed is critical after any suspected exposure. She advised users to disconnect from the internet immediately and power down the affected device.

Using a separate, clean device, victims should transfer funds to new wallets and immediately change all account passwords. Where available, two-factor authentication should be enabled.

Before the compromised device is reused, it must undergo a complete memory wipe to remove any lingering malware.

Why Telegram Security Matters

Telegram plays a central role in the spread of the scam, making account security especially important. Monahan urged users to review active sessions in Telegram’s settings and terminate any unfamiliar connections immediately.

Passwords should be changed, and multifactor authentication enabled. If an account is compromised, users should notify their contacts immediately.

Failing to do so, Monahan warned, allows attackers to exploit trusted relationships and expand the campaign.

SEAL noted that the campaign highlights ongoing risks across the cryptocurrency sector, where social engineering remains one of the most effective attack methods.

The organization continues to monitor activity diligently and advises users to exercise caution when receiving unexpected meeting requests, even if they appear to originate from familiar contacts.