Overview
- Security Alliance (SEAL) says it is seeing multiple attempts every day that target cryptocurrency professionals via convincing video meetings.
- Attackers seize trusted Telegram sessions, then route victims to Zoom or Teams through spoofed calendar links where pre-recorded footage mimics live participants.
- During the call, the impostor prompts a quick audio fix or SDK update that installs a Remote Access Trojan with full device control.
- Researchers link roughly $300 million in direct wallet theft to this tactic as part of a broader North Korea-backed campaign estimated near $2 billion, including recent exchange breaches.
- Advisories urge immediate incident steps: disconnect from networks, power off the device, move funds from a clean device, wipe and rebuild the infected machine, reset Telegram sessions, and rotate credentials with multifactor authentication.