Live On Bitcoin

North Korean Hackers Drain Over $300 Million in Crypto Through Elaborate Fake Video Call Scams

Dec 21, 2025·By Nasos Alevizos

December 21, 2025

Cybercriminals linked to North Korea Lazarus Group have reportedly stolen more than $300 million in cryptocurrency by posing as legitimate business contacts during fraudulent Zoom and Microsoft Teams calls.

Security experts highlight this tactic as a highly effective social engineering attack, primarily aimed at cryptocurrency executives and professionals.

The alert stems from detailed observations shared by Taylor Monahan, a security researcher at MetaMask (known online as Tayvano), who described the scheme as a patient "long-con" operation.

Unlike recent trends involving AI-generated deepfakes, these attacks rely on simpler but convincing methods: compromised Telegram accounts and pre-recorded video clips from genuine sources, such as podcasts or previous interviews.

How the Scam Unfolds

The process often begins with hackers gaining access to a trusted individual's Telegram account—typically a venture capitalist, investor, or someone the target has interacted with at industry events.

Using the account's existing conversation history for credibility, the attackers reach out and propose a video meeting, directing the victim to a fake scheduling link (often mimicking Calendly) that leads to a Zoom or Teams session.

During the call, the victim views a seemingly live video of the contact (and sometimes colleagues), which is actually looped footage.

To escalate the deception, the attackers simulate a "technical glitch"—claiming issues with audio or video quality.

They then instruct the victim to download a "fix," such as a software patch, updated SDK, or troubleshooting script.

This file harbors malware, frequently a Remote Access Trojan (RAT), which provides full system access upon installation.

Once compromised, attackers quietly extract cryptocurrency from wallets, steal passwords, capture sensitive company data, and hijack Telegram sessions to propagate the attack to the victim's contacts.

Monahan emphasized that these hackers exploit the norms of professional interactions, pressuring victims into quick decisions during what feels like an urgent business discussion.

#### Expert Warnings and Broader Context

Monahan has urged the crypto community to view any in-call request to install or download software as an immediate red flag signaling an ongoing attack.

The Cybersecurity nonprofit Security Alliance (SEAL) has also noted multiple daily attempts using similar "fake meeting" tactics.

This method contributes to North Korea's larger cyber campaign, with estimates suggesting DPRK-linked groups stole around $2 billion from the crypto sector in 2025 alone, including major incidents like the Bybit exchange breach.

Industry participants are advised to verify meeting invites independently, avoid downloading files during calls, and immediately isolate potentially compromised devices by disconnecting from networks and using secondary devices to secure assets.

As these attacks continue to evolve, heightened vigilance and multi-layered security practices remain critical for protecting digital assets in the cryptocurrency space.