Manta Network co-founder Kenny Li narrowly escaped a Zoom phishing attack, suspected to be orchestrated by Lazarus.
In his April 17 X post, Kenny Li said that he had been targeted by Lazarus in a Zoom meeting. It started with a known contact asking Li for a chat via Zoom. When Li got on Zoom, the meeting looked legitimate, with the other party having their camera on and their face visible. However, there was no audio on the call, and Li was prompted to download a suspicious script file under the guise of a Zoom update.
Suspecting something was off, Li tried to verify the participant’s identity by suggesting they switch to Google Meet or speak on Telegram. The impersonator refused, then quickly deleted all messages and blocked him.
Li later confirmed that the real person whose identity was used in the video call had their accounts compromised by Lazarus.
This isn’t the first time Lazarus has used Zoom as a phishing vector. Nick Bax from the Security Alliance highlighted this scam in a March 11 X post. He explained that it usually starts with a few “VCs” on the call, who claim to have audio issues and claim the victim cannot hear them. If the victim falls for it, they’re directed to a new Zoom room via a fake link, where they’re prompted to download a “patch” to resolve the audio/video problem. Bax noted that this method has been used by threat groups to steal millions of dollars, and other hackers are now replicating these tactics.
In the thread, several crypto founders shared similar experiences to Kenny Li of Manta Network (MANTA), recounting how they too narrowly avoided falling victim to these Zoom phishing scams.
Giulio Xiloyannis, co-founder of the blockchain gaming firm Mon Protocol, recounted an attempted scam where the hacker posed as the project lead from Story Protocol (IP) to lure him and his marketing lead into a fake meeting. The deception became clear when he was abruptly asked to join a new Zoom link that faked audio issues in an attempt to get him to download malware.
David Zhang, co-founder of the stablecoin platform Stably, also faced a similar attack. Initially, the scammers joined his Google Meet call but then fabricated a reason to switch to a different meeting link. Zhang took the call on his tablet, which may have prevented the malware from functioning properly. He suspects the phishing attempt was designed to identify the user’s operating system and adapt accordingly, but the setup wasn’t optimized for mobile devices.
Melbin Thomas, founder of Devdock AI, also fell victim to the Zoom scam but didn’t enter his password during the fake installation process. Then, he went offline and did a factory reset. However, he’s still not sure whether the files are safe, as he transferred them to a hard drive that hasn’t been reconnected to his system.
This surge in attacks follows a joint warning from the US, Japan, and South Korea in January about the increasing threat of the Lazarus Group targeting the crypto industry. The Lazarus Group, known for its involvement in high-profile cyber thefts like the Bybit and Ronin network hacks, is suspected to be behind these attacks.
