Lazarus Hackers Target Crypto Founders with Fake Zoom Calls

• Lazarus Group targets crypto founders with fake Zoom calls.
• Hackers use pre-recorded footage to impersonate trusted contacts.

The Lazarus Group, a North Korean-affiliated cybercrime syndicate, attempted to hack Manta Network co-founder Kenny Li. The attack was carried out by the attackers by using a fake Zoom call to try to steal the cryptocurrency assets by using malicious software.

On April 17, 2025, the incident showed how the hackers posed as the trusted contact on Telegram to schedule a Zoom meeting. In the course of the call, Li noticed strange prompts, such as a request for camera access and a script file download, that set off alarms. He deleted their messages and left the meeting,  later, he confirmed that the contact had blocked him.

Li’s experience is part of a growing trend of Zoom based attacks against the crypto community. These tactics have been linked to the Lazarus Group by cybersecurity experts, who have exploited vulnerabilities in Web3 infrastructure.

How Lazarus Exploits Zoom for Crypto Scams

The attack on Li involved a fake Zoom call using pre-recorded footage from previous meetings that were probably obtained by compromising team members’ accounts. The audio did not work, and familiar faces were shown, mimicking a legitimate meeting, before a prompt to download a script file appeared.

The tactic is similar to what has been previously reported about Zoom scams. SlowMist conducted a 2024 investigation that found hackers were using fake Zoom interfaces to trick users to download malware. These malicious files steal system data, browser cookies and cryptocurrency wallet credentials and send them to the remote server of the attackers.

The Lazarus Group’s methods have changed from brute force to social engineering to get around traditional security. These attacks are especially dangerous to crypto founders and developers because they impersonate trusted contacts and use realistic visuals to exploit human error.

This is not the only incident of its kind in the crypto space. A user from Vow | ContributionDAO also had a near identical experience on April 18, 2025, when attackers pretending to be a blockchain team demanded a specific Zoom link. The attackers disappeared when the user suggested switching to Google Meet.

These attacks are becoming more and more sophisticated and the crypto community is raising alarm. These scams can become very convincing when they are made using deepfake technology or using pre recorded footage and that is why users should be vigilant.

KiloEx Recovers $7.5M After Separate Exploit

In related news, decentralized exchange KiloEx regained $7.5 million after being hacked. On April 18th, 2025, the platform announced that the attacker returned the funds, stolen four days earlier, after negotiating a bounty deal.

The exploit was due to a manipulated price oracle, a known vulnerability of decentralized finance platforms. SlowMist and Sherlock, among other cybersecurity firms, were asked by KiloEx to conduct the trace of the attack. The platform temporarily suspended operations but gave reassurance that no funds were lost in the end.

KiloEx has closed the case since then and has not decided to take legal action against the hacker. The incident also serves as a reminder that vulnerabilities in smart contracts and oracles continue to be prime targets for cybercriminals in the DeFi sector.