A sophisticated phishing scam allegedly orchestrated by the Lazarus Group, North Korea’s notorious state-sponsored hacking collective, has resulted in the theft of crypto assets from Mehdi Farooq, a prominent investment partner at Hypersphere and former executive at Animoca Brands.
In a detailed post shared on X (formerly Twitter) on Thursday, Farooq recounted how a fake Zoom update led to the compromise of six crypto wallets, costing him a significant portion of his life savings.
The Attack: A Familiar Face, a Fake Meeting, and a Fatal Click
The phishing campaign began with what seemed like a routine message from Alex Lin, a known professional contact. After Farooq shared his Calendly link, Lin followed up to request switching the meeting to Zoom Business, citing “compliance reasons” and the involvement of a mutual acquaintance named Kent.
The Zoom call itself appeared legitimate both attendees had their cameras on. However, there was no audio. The participants claimed to be experiencing technical issues and encouraged Farooq to download a Zoom client update sent via the chat interface.
Moments after Farooq installed the update, his wallets were drained. He later discovered that Lin’s Telegram account had been compromised, and the meeting was a carefully orchestrated social engineering attack linked to Lazarus.
“It was surreal and completely violating… I was compromised by DPRK-affiliated threat known as ‘dangrouspassword,’” Farooq wrote on X.
A Pattern Emerges: Lazarus Group’s Zoom Trap
This attack mirrors an ongoing pattern of phishing campaigns using fake Zoom updates, a method increasingly associated with Lazarus operations. The scheme involves:
- Impersonating trusted contacts using hijacked messaging accounts (Telegram, WhatsApp)
- Scheduling fake Zoom meetings with familiar names and faces
- Faking technical issues (no audio/video glitches) to build urgency and realism
- Distributing malware disguised as Zoom updates, which silently compromises systems and extracts wallet data or credentials
Just weeks earlier, Kenny Li, co-founder of Manta Network, narrowly avoided a similar scam. The attackers impersonated known contacts and insisted on a Zoom update. Li’s suspicion led him to switch platforms, prompting the scammers to block him and delete all traces of the conversation.
Industry-Wide Threat: Founders and Developers Targeted
This isn’t an isolated incident. Other crypto leaders including teams from Mon Protocol, Stably, and Devdock AI have reported receiving similar phishing attempts. In all cases, the attack flow was consistent: friendly introduction, urgent scheduling, fake Zoom, malware.
Nick Bax of the Security Alliance previously dissected this campaign in a viral March 11 post, warning that the Lazarus Group was deploying deepfake video feeds and advanced spear-phishing methods to drain crypto wallets across the industry.
Community Response: Whitehats Step In
Despite the loss, Farooq highlighted the support from whitehat hackers and the broader crypto security community, many of whom reached out with help, forensics advice, and emotional support.
“In the darkest moment, whitehat hackers stepped up complete strangers offering help when I was at my lowest,” he shared.
Staying Safe: What You Can Do
In light of the growing sophistication of phishing attacks, security experts recommend the following precautions:
- Never install software from chat links, especially during video calls
- Verify all meeting invites and download links independently, via official sites
- Enable multi-factor authentication (MFA) on wallets and email accounts
- Use hardware wallets and avoid storing private keys or seed phrases on internet-connected devices
- Regularly update anti-malware tools and audit device access logs
Outlook
As Web3 adoption accelerates, so does the attention from state-sponsored actors like Lazarus. The crypto community now faces a dual challenge: building innovative technology while defending against nation-state-level attacks.
The Lazarus Group’s Zoom update scam is just the latest reminder that trust, even among known peers, must be constantly verified in today’s digital landscape.
