Warning! North Korean hackers are using fake Zoom/Teams meeting links to steal acquaintances' accounts and carry out large-scale fraud.
Recently, the cybersecurity company Security Alliance (SEAL) and researchers issued a warning that North Korean hackers are exploiting fake Zoom/Teams meeting links to spread malware in order to steal victims' cryptocurrency wallet private keys, mnemonics, various passwords, cloud credentials, and Telegram accounts.
Currently, the agency is tracking associated threat actors who attempt multiple times daily to use fake Zoom/Teams meeting links to spread malware and expand access to new victims, resulting in over $300 million in financial losses.
Analysis indicates that the hackers' attack entry points are highly deceptive. They first completely take control of the victim's acquaintance's Telegram account and then use that account to send messages to the victim.
Once the victim enters the meeting, the hacker plays pre-obtained real video to fabricate the appearance of participants, and then uses excuses such as "audio issues" and "software updates" to induce the victim to download a malicious file disguised as "Zoom SDK update."
Once this file is installed, it will immediately invade the device, stealing the victim's cryptocurrency wallet private keys, various account passwords, cloud service login information, and even directly take over the entire Telegram account, capturing all its digital assets and permissions.
It is worth noting that this type of scam, which induces downloads through fake meetings, closely matches the modus operandi of the North Korean-backed Lazarus hacker organization.
Security experts particularly emphasize that these highly customized social engineering attacks often bypass conventional technical defenses, and personal vigilance is the last line of defense.
Moreover, industry leaders, including the founder of Binance, have issued related warnings over the past year, indicating that such attacks have become a systemic threat to the cryptocurrency industry.
Overall, if users accidentally click on a suspicious link, they should immediately initiate the highest level of response measures, disconnect from the network, and shut down and isolate the infected device;
Then, they should immediately transfer funds through other secure devices, batch change all account passwords; and absolutely do not use the device again before completely reinstalling the system to prevent further losses.
