A social-engineering campaign anchored on “fake Zoom” and “fake Teams” meetings has triggered confirmed losses of $300 million among cryptocurrency professionals and firms. The tactic is part of a wider state-linked offensive that analysts say siphoned more than $2 billion in 2025 and exceeds $6 billion cumulatively in crypto thefts.
Fake Zoom modus operandi and malware mechanics
The campaign begins with compromised Telegram accounts belonging to trusted contacts inside the victim’s professional network, leveraging existing chat history to build credibility before redirecting targets to calendar links for video calls. On the call, adversaries play pre-recorded loops of known industry figures to simulate a live meeting and create pressure to act quickly.
A common escalation is a feigned technical fault that prompts victims to download a file presented as a patch or SDK update, which actually contains a Remote Access Trojan (RAT). A RAT is malware that gives an attacker interactive control over an infected system; once active, it quietly exfiltrates authentication tokens, internal protocols, passwords and private keys, enabling direct transfer of funds and lateral targeting of connected contacts without immediate detection.
The malware is designed for low observability, typically avoiding obvious performance degradation and delaying incident response and forensic detection. Attackers subsequently use harvested session tokens and contact lists to impersonate colleagues and expand the campaign’s reach through fresh trust relationships.
‘Any request to download software during a call should be considered an active attack signal’, Monahan said, reflecting the operational judgment researchers apply when triaging suspected incidents.
Implications for institutions, developers and compliance teams
Funds stolen via this vector are believed to underwrite broader illicit state activity, creating a direct nexus between on-chain thefts and geopolitical finance. For institutions, the incident undercuts custody and operational assumptions: human-mediated credential flows and ad-hoc software installs are single points of failure.
Recommended mitigations are operational and technical. Operationally, teams must verify meeting invitations and software change requests through independent, authenticated channels and enforce “no-install” policies during unscheduled remote sessions. Technically, organizations should require hardware wallets for significant holdings, enforce strong multi-factor authentication, and maintain network segmentation that limits an endpoint’s ability to sign or move funds. Immediate containment steps for suspected compromise include disconnecting the device from networks and powering it off to preserve forensic integrity.
For developers of conferencing and calendaring integrations, the attack highlights the need for metadata validation of calendar links and richer provenance signals for in-app file transfers. Compliance and incident-response functions should incorporate social-engineering scenarios into tabletop exercises and ensure legal and blockchain-forensics playbooks are current.
The fake Zoom technique illustrates a persistent, low-noise threat that exploits professional trust to convert single-user compromise into large on-chain thefts. Its success points to gaps in human-centered controls and endpoint hygiene that must be closed to reduce systemic risk to crypto markets. Next verified milestone: publication of full forensic reports and confirmed attribution tied to the campaign’s techniques and monetary flows, enabling prioritized mitigation across affected cohorts.
