North Korean hackers steal 300 million dollars through fake Zoom meetings

North Korean cybercriminals have made a strategic pivot in their social manipulation campaigns. They have stolen over 300 million dollars by posing as trusted industry figures in fake video meetings.

MetaMask's security researcher Taylor Monahan (known as Tayvano) warns in detail about a complex “long con” targeting leaders in the cryptocurrency sector.

How North Korean fake meetings are draining funds from crypto wallets

According to Monahan, this campaign stands out from recent attacks that were based on AI deepfakes.

A more straightforward approach is used here, based on hijacked Telegram accounts and the replay of videos cut from real interviews.

The attack usually initiates when hackers gain control of a trusted Telegram account, which often belongs to a venture capitalist or a person the victim has previously met at a conference.

Malicious attackers use previous chat history to appear credible and direct the victim to a Zoom or Microsoft Teams video call via a disguised Calendly link.

Once the meeting starts, the victim sees what seems to be a live feed of their acquaintance's video, although in reality, it is often a replayed recording from a podcast or public appearance.

A decisive moment often follows an artificially induced technical issue.

When the attacker appeals to audio or video issues, they pressure the victim into restoring the connection by downloading a specific script or updating the software development kit (SDK). At this point, the delivered file contains malicious code.

After the software installation, the malware – often a Remote Access Trojan (RAT) – gives the attacker full rights to control the computer.

Malware drains cryptocurrency wallets and steals sensitive information, including internal security protocols and Telegram session tokens used to target the next victim in the network.

Based on this, Monahan warned that this particular attack method weaponizes professional courtesy.

Hackers exploit the psychological pressure caused by a 'business negotiation', which leads to a lapse in judgment and turns a regular support request into a serious security breach.

For industry players, all requests for software downloads made during the call should now be interpreted as active signs of an attack.

This 'fake meeting' tactic is part of a broader attack campaign backed by actors from the Democratic People’s Republic of Korea (DPRK). They have stolen an estimated $2 billion from the industry over the past year, including the Bybit incident.