North Korean Hackers Exploit Zoom Feature to Steal Millions in Cryptocurrency
A new and disturbing cybercrime campaign is targeting cryptocurrency traders and investors, using the familiar video conferencing platform Zoom as an attack vector. Reports from the nonprofit Security Alliance (SEAL) and cybersecurity firm Trail of Bits have exposed a crafty operation orchestrated by North Korean hackers, known for their relentless attacks on the crypto sector. This campaign, dubbed “Elusive Comet,” reveals just how sophisticated social engineering threats have become—and how everyday business tools can become weapons in the wrong hands.
Table of Contents
Phishing Bait Masquerading as Business Opportunities
The attackers’ approach is both convincing and subtle. Impersonating venture capitalists or podcast hosts, these hackers first reach out with what appears to be a legitimate business proposition. Victims are often contacted through Calendly links, inviting them to schedule a Zoom meeting to discuss a supposed investment or podcast appearance. The initial communication is designed to appear as an opportunity rather than a threat, lowering the target’s defenses and building a sense of urgency by delaying meeting details until the last minute.
Once the victim joins the scheduled Zoom call, the attackers make their move. They request that the victim share their screen—an ordinary ask in business discussions. But then, leveraging Zoom’s Remote Control feature, the hackers ask for control of the victim’s computer. A deceptive twist makes this request even more dangerous: the attackers change their Zoom display name to “Zoom,” disguising the permission dialog to look like a standard, harmless system notification.
One Click to Total Compromise
This single click can hand over full control of the victim’s mouse and keyboard. The attackers quickly deploy infostealer malware or remote access trojans (RATs) that search the machine for browser sessions, saved passwords, crypto wallet seed phrases, and other sensitive information. SEAL’s logs attribute “millions of dollars” in stolen funds to these tactics, noting that the criminals rely on a network of fake social media profiles and polished websites to lend credibility to their ruse.
Trail of Bits encountered the attack firsthand. The firm’s CEO received messages from X (formerly Twitter) profiles claiming to be Bloomberg producers, pushing hard for a last-minute Zoom interview about cryptocurrency. On closer inspection, the Zoom meeting links led to consumer-grade accounts, not legitimate corporate ones. The attackers consistently refused to communicate over email, insisting on Zoom, where they could launch their exploit.
A Flawed Feature Turned Attack Vector
The root of the attack is Zoom’s Remote Control feature, which is designed for collaborative work but can be abused if users aren’t vigilant. Although hosts can disable this function at the account, group, or user level, it is often left on by default in corporate settings. The permission dialog lacks any distinguishing mark to indicate a third-party request, making it easy for users to be tricked by a prompt that looks routine.
Trail of Bits warns that this type of attack is particularly effective because it relies on human behavior, not software bugs. Many professionals are accustomed to quickly approving Zoom notifications, and the attackers exploit this familiarity to bypass even experienced users’ defenses. The firm draws a direct line from this campaign to recent high-profile incidents, such as the $1.5 billion Bybit hack, which also relied on manipulating legitimate workflows rather than exploiting code vulnerabilities.
Protecting Against the Elusive Comet Threat
The broader implication is troubling: as the blockchain industry matures, attackers are shifting their focus from technical exploits to human vulnerabilities. Operational security—protecting the processes and decisions of users—has become just as important as defending against software flaws.
In response, Trail of Bits has taken strong measures, disabling Zoom’s remote control capability and blocking the accessibility permissions that make such attacks possible, without interfering with normal videoconferencing use. They urge organizations and individuals in the crypto sector to do the same, reviewing their Zoom settings and educating users about the dangers of blindly accepting screen-sharing and remote control requests.
With millions already lost and attackers continuing to refine their methods, the message is clear: never treat video conferencing tools as risk-free. If you trade, invest, or work in the crypto industry, think twice before accepting unexpected meeting requests—and never approve a remote control prompt without absolute certainty of its legitimacy. The threat may look like business as usual, but the stakes have never been higher.