How North Korean Hackers Are Using Trusted Video Meetings to Access Crypto Wallets and Private Data

North Korean cybercriminals have found a way into crypto wallets that does not rely on brute-force hacking or flashy deepfakes.

Instead, the trap looks like an ordinary work call — familiar faces, routine small talk, and a simple request to fix a technical issue.

By the time victims realise something is wrong, their funds are often already gone.

Fake Video Meetings Turn Trust Into an Entry Point

Security Alliance (SEAL) says it is tracking multiple daily attempts linked to North Korean threat actors using fake Zoom and Microsoft Teams meetings to deliver malware.

The campaigns target crypto founders, developers, investors and anyone with access to digital assets or internal systems.

MetaMask security researcher Taylor Monahan, known online as Tayvano, was among the first to lay out how the scam works and how effective it has become.

She wrote on X,

“They’ve stolen over $300m via this method already. DPRK threat actors are still rekting way too many of you via their fake Zoom / fake Teams meets.”

Hijacked Telegram Accounts Make the Approach Look Legit

The attacks usually begin on Telegram.

Hackers first take control of a real account belonging to someone the victim already knows — a former contact, an investor met at a conference, or a colleague from an earlier project.

Monahan said,

“They message everyone with prior conversation history.”

Using those existing chats, the attacker builds credibility before suggesting a catch-up call.

A Calendly link is shared, leading to what appears to be a standard Zoom or Teams meeting.

Recorded Faces, Real Pressure

Once the call starts, the victim sees a convincing video feed of the known person and, sometimes, other supposed team members.

The footage is not AI-generated.

Instead, it is often looped video taken from podcasts, interviews or public appearances, making it harder to spot anything unusual.

The turning point comes when the attacker claims there is a technical issue, usually poor audio.

A quick fix is offered: download a patch, update an SDK, or run a small script sent through the meeting chat.

That file carries the malware.

From One Click to Full Device Control

If installed, the payload is commonly a Remote Access Trojan.

It quietly gives the attacker control over the device, allowing them to siphon passwords, private keys, internal security documents and Telegram session tokens.

Crypto wallets are typically drained in full.

The stolen Telegram access is then reused to approach the next set of victims, allowing the scam to spread through trusted networks with speed.

Monahan warned that the method exploits professional habits rather than technical weaknesses.

The urgency of a business call and the politeness of wanting to help fix a problem are used to push victims into skipping basic checks.

A Shift From Deepfakes to Long-Con Social Engineering

Cybersecurity researchers see this as a strategic change.

Instead of relying on deepfake videos or mass phishing, North Korean groups are focusing on slower, targeted operations built around real relationships.

Lazarus Group and other DPRK-linked actors have already been tied to fake job interviews and recruitment drives aimed at crypto firms.

Last month, the same group was linked to a US$30.6 million breach at South Korea’s largest exchange, Upbit.

SEAL and other experts say the fake meeting tactic is now one of the most effective tools in that playbook.

Why Crypto Users Are Especially Exposed

Crypto transactions are irreversible, and access often depends on a single device holding private keys.

Once malware is in place, there is little time to react.

Global crypto thefts have reached US$2.17 billion in stolen assets by mid-2025, according to industry estimates, with North Korean actors responsible for a significant share.

Experts warn that any request to download software during a video call should now be treated as an active threat, regardless of who appears to be asking.

Immediate Action Can Limit the Damage

Security firms advise anyone who suspects exposure to cut off WiFi immediately and power down the device to interrupt the malware.

Funds should be moved to a new wallet from a clean device, and all related passwords replaced.

A full system wipe is recommended before the compromised machine is used again.

As video calls and messaging apps become everyday tools for the crypto industry, attackers are betting that familiarity will keep lowering defences.

For now, the safest assumption is simple: a routine meeting can be anything but.