- Phishing attackers used stolen video footage to impersonate trusted contacts via Zoom.
- Refusal to switch platforms and silent calls were key signs of the phishing attempt.
- Similar incidents suggest a growing threat of social engineering in the crypto industry.
Kenny Li, co-founder of Manta Network, avoided falling victim to a coordinated phishing scheme that used a fraudulent Zoom video call to deliver malicious software. The incident, which Li shared publicly on April 17 via X (formerly Twitter), is believed to be the work of the North Korean-linked Lazarus Group, known for targeting high-profile figures in the cryptocurrency space.
The attack was highly organized and relied on impersonation. Li noticed something was off during what appeared to be a routine virtual meeting. The attacker’s Zoom camera displayed what looked like a live video feed of a familiar colleague.
However, there was no audio throughout the call, and the participant quickly prompted Li to install a suspicious script. Sensing something was wrong, Li ended the call and attempted to verify the person’s identity through Telegram. When he reached out, the individual blocked him and deleted the chat history, confirming Li’s suspicions.
Stolen Credentials, Not Deepfakes, Likely Used
Li noted that the video footage used during the call was not AI-generated but likely compiled from previously recorded Zoom sessions or team meetings. He noted that the resolution and quality of the visuals resembled that of a standard webcam.
This added some credibility to the impersonation. According to Li, the attack consisted of compromising the real individual’s account, which gave the attackers access to genuine video materials and profiles necessary for arranging the impersonation in question.
Li recorded the conversation and captured screenshots as additional evidence of the act. He had proposed changing the link in the middle of the call, a common procedure when dealing with fake meetings, but the impersonator did not agree to go to another application. This inability to change was one of the signs Li could employ to identify an ongoing phishing attempt.
Pattern Matches Other Recent Phishing Attempts
Li’s story is evidence that bullying also occurs in social media, and it is a common experience that most individuals undergo. Another member from ContributionDAO said the same. The attacker introduced himself as their employer and persuaded them to download a special business-oriented Zoom account. Security researchers discovered that the attacker desired their version even if Zoom was already pre-installed on the device. As evident with Li, they were reluctant to switch to Google Meet or any other available platform.
Another social engineer named “Meekdonald” gave an example of a friend who asked for malware installation because the targeted person receives constant calls. The impersonators also opted for the same strategy, sending a clear face of Chad recognizing an associate.
These incidents raise hope in the usually silent script used by hackers interested in the digital asset markets. Social engineering is occasionally used, whereby the attackers incorporate themselves into the targeted systems and introduce the malware from familiar and friendly accounts, contacts, and interactions deemed normal and proper.
Precaution Urged Amid Growing Social Engineering Risks
This sequence of reports demonstrates that social engineering elements are gradually increasing in cybercriminal engagements in the crypto space. While no resource pilfering, as in the case of Li, has occurred, this type of phishing extends beyond e-mails and fake sites.
Li then explained that it is important to exercise caution when the software asks questions during meetings, plays videos without the speaker’s consent, or does not open to a different application.
