A sophisticated phishing scam targeting cryptocurrency users has been uncovered, exploiting fake Zoom meeting links to distribute malware and steal assets.
The operation, exposed by blockchain security firm SlowMist, saw hackers mimicking Zoom’s platform to compromise sensitive information, including private keys and wallet credentials.
This malicious campaign, active since November 2024, has resulted in significant financial losses, with over $1 million traced to a hacker’s Ethereum wallet.
The attackers utilised advanced malware and obfuscation techniques, emphasising the growing risk of cyber threats in the crypto industry.
Fake Zoom links deployed to steal cryptocurrency
Hackers used a phishing domain, “app[.]us4zoom[.]us,” designed to replicate Zoom’s interface.
Victims were deceived into clicking a “Launch Meeting” button that initiated a malicious download instead of launching the application.
The fake installer, “ZoomApp_v.3.14.dmg,” executed a script named “ZoomApp.file,” prompting users to enter their system passwords.
Upon execution, the script deployed a hidden executable file, “.ZoomApp,” which attempted to access sensitive information, including browser cookies, KeyChain data, and cryptocurrency wallet credentials.
This data was compressed and transmitted to a malicious server associated with an IP flagged by multiple threat intelligence services.
Further investigation revealed that the malware targeted high-value assets by focusing on users likely to hold significant cryptocurrency balances.
The attackers used a combination of social engineering and advanced coding techniques to bypass security protocols, making the scam harder to detect.
Their ability to impersonate a trusted platform like Zoom demonstrates the growing sophistication of phishing operations.
The malware, identified as a Trojan, underwent static and dynamic analysis.
It showed capabilities to decrypt data, extract system credentials, and access private keys and wallet mnemonics.
These actions enabled the theft of cryptocurrency from victims, with attackers allegedly utilising Russian-language scripts and a back-end system located in the Netherlands.
On-chain tracking reveals stolen Ethereum
SlowMist employed its anti-money laundering tool, MistTrack, to trace stolen cryptocurrency.
Over $1 million in digital assets, including Ethereum (ETH), USD0++, and MORPHO, was transferred across platforms such as Binance, Gate.io, and Bybit.
One hacker’s address consolidated 296 ETH, which was further distributed to multiple platforms.
Another wallet linked to the scam executed small ETH transactions to nearly 8,800 addresses, covering transaction fees.
These stolen funds were subsequently aggregated and converted into Tether (USDT) and other cryptocurrencies via exchanges like FixedFloat and Binance.
How does this affect crypto security?
This phishing campaign underscores the increasing sophistication of cyberattacks targeting cryptocurrency users.
Exploiting popular platforms like Zoom, attackers leveraged advanced techniques to steal private information and assets.
The incident highlights the need for heightened vigilance, robust security protocols, and user education to prevent further exploitation in the rapidly evolving digital asset space.
Governments and crypto exchanges are being urged to enhance their fraud detection measures and develop stronger countermeasures to combat such attacks.
This includes raising awareness among users about recognising phishing schemes and adopting multi-factor authentication to secure their wallets.
The post Hackers use fake Zoom links to target crypto users, steal $1M: report appeared first on Invezz
