Lazarus Group Targets Crypto Founders With Fake Zoom Calls

The Lazarus Group, a North Korean-affiliated cybercrime syndicate, has been targeting founders of cryptocurrency companies with fake Zoom calls. The group, known for its sophisticated hacking techniques, has been using these calls as an entry point to infiltrate the systems of high-profile individuals in the crypto industry. The attack pattern involves hacking a trusted contact and scheduling a "business" call, during which malicious software is deployed to compromise the target's device.

One such incident involved the co-founder of Manta Network, who was invited to a Zoom call by someone he knew. The call turned out to be a fraudulent attempt to gain access to his system. The Lazarus Group has been using deepfake technology and malware to execute these attacks, making it difficult for victims to detect the deception. The group's tactics include using fake LinkedIn job offers and sponsored Google ads to deliver malware, further expanding their reach and effectiveness.

On April 17, 2025, the incident showed how the hackers posed as the trusted contact on Telegram to schedule a Zoom meeting. In the course of the call, Li noticed strange prompts, such as a request for camera access and a script file download, that set off alarms. He deleted their messages and left the meeting, later, he confirmed that the contact had blocked him. Li’s experience is part of a growing trend of Zoom based attacks against the crypto community. These tactics have been linked to the Lazarus Group by cybersecurity experts, who have exploited vulnerabilities in Web3 infrastructure.

The attack on Li involved a fake Zoom call using pre-recorded footage from previous meetings that were probably obtained by compromising team members’ accounts. The audio did not work, and familiar faces were shown, mimicking a legitimate meeting, before a prompt to download a script file appeared. The tactic is similar to what has been previously reported about Zoom scams. These malicious files steal system data, browser cookies and cryptocurrency wallet credentials and send them to the remote server of the attackers.

The Lazarus Group’s methods have changed from brute force to social engineering to get around traditional security. These attacks are especially dangerous to crypto founders and developers because they impersonate trusted contacts and use realistic visuals to exploit human error. This is not the only incident of its kind in the crypto space. A user from Vow | ContributionDAO also had a near identical experience on April 18, 2025, when attackers pretending to be a blockchain team demanded a specific Zoom link. The attackers disappeared when the user suggested switching to Google Meet.

These attacks are becoming more and more sophisticated and the crypto community is raising alarm. These scams can become very convincing when they are made using deepfake technology or using pre recorded footage and that is why users should be vigilant. The Lazarus Group's activities highlight the growing threat of cybercrime in the cryptocurrency industry and the need for enhanced security measures to protect against such attacks.