International Cyber Expo International Cyber Expo
  • About Us
Thursday, 9 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

One Click and Your Wallet Is Gone: How Fake Meeting Link Scams Work

by David Soffer
June 17, 2026
in Data Protection
data-cloud-security
Share on FacebookShare on Twitter

In January 2026, Martin Kuchar, one of the organisers of BTC Prague, received a message on Telegram. A familiar contact, a compromised account, a familiar context, an invitation to jump on a call. The link led to a page visually identical to Zoom. What followed was the standard script: audio issues, a prompt to install an update. That was all it took.

This is not phishing in the classical sense. There is no suspicious email with typos and a strange sender address. This is a trust management operation and that is precisely why it works even on experienced participants in the crypto market.

The Scale Of The Threat

According to the FBI, in 2025 American users filed 181,565 complaints related to cryptocurrency fraud. The average loss per complaint was $62,604. Total losses from investment scams reached $7.23 billion out of $11.36 billion in documented crypto fraud for the year.

Impersonation attacks specifically saw growth of more than 1,400% year-on-year in 2025. The average payment made by a victim increased from $782 in 2024 to $2,764 in 2025.

A significant portion of these attacks can be traced to a single structure: Lazarus Group and its affiliated North Korean intelligence units. According to FBI and Mandiant data, in 2025 they stole $2.02 billion in cryptocurrency, a 51% increase over the previous year. The Bybit attack in February 2025, $1.5 billion in a single operation was attributed directly to them by the FBI.

How The Attack Works: Step By Step

The operation begins long before any call takes place. Attackers reach the target through Telegram, LinkedIn, email, or X. A pseudo-recruiter offers a Web3 position paying $16,000 to $44,000 per month. An ‘investor’ wants to discuss a deal. A ‘partner’ wants to connect. Everything looks like a routine business contact because in the crypto industry, strangers genuinely reach out to each other every day.

The next step is the meeting link. The victim sees a convincing imitation: a Zoom waiting room with audio cues from other participants, a Google Meet page with a correct interface. Domains are purpose-built: uswebzoomus[.]com, googlemeetinterview[.]click, 9ooggleactivemeett[.]live. According to Netcraft and Malwarebytes, operators prepare backup domains across multiple hosting providers in advance, anticipating inevitable takedowns.

On the fake meeting page, an error message appears: microphone issue, client update required, extension needs to be installed. The victim is asked to paste a command into the terminal, download an installer, or run a script. This moment is deliberately designed to look like routine technical troubleshooting. That is exactly why it works.

After installation, attackers gain full access: keystroke logging, clipboard monitoring, real-time screenshots, browser data and wallet extension data MetaMask, Trust Wallet, Phantom, and others. On macOS, iCloud Keychain. Any seed phrase or private key that was ever typed or copied on the device should be considered compromised.

The Deepfake That Isn’t

One of the most technically sophisticated elements is what Kaspersky GReAT documented as GhostCall. Attackers record video from the webcams of previous victims without their knowledge. During a call with the next target, they play back this footage, the victim sees a live video stream of a real person from their professional network.

This is not a deepfake in the technical sense. It is a recording of a real person the victim likely knows. The attacker remains ‘with audio issues’ and communicates only via text chat. Psychologically, it is a near-perfect trap: you see a familiar face, hear a familiar voice in the recording, and have no basis for suspicion.

Immediately after compromising a device, attackers gain access to the victim’s Telegram contacts and use the account to send the same link to the next wave of potential targets. The attack propagates through trusted professional networks with no external indicators.

Who Is Behind This

Lazarus Group, BlueNoroff, UNC1069, TraderTraitor, Famous Chollima, these are all names for sub-units of a single operation run by the Reconnaissance General Bureau of North Korea. Attributed by the FBI, Mandiant, and Kaspersky. Since 2021, the primary focus has been Web3.

Active campaigns documented in 2025-2026: Contagious Interview, fake recruiting interviews with a ClickFix payload at the end. According to SentinelLABS, at least 230 people were affected in just Q1 2025, with the real figure likely higher. GhostCall, fake Zoom calls targeting Web3 executives and venture investors. Mach-O Man, attacks through compromised Telegram accounts targeting C-suite in crypto and fintech.

The Drift Protocol case warrants special attention. Lazarus spent six months on infiltration: meeting the team in person at conferences across multiple countries, depositing $1 million in real capital to establish credibility. The drain of $286 million took 12 minutes. This is not a scam, it is a state-level operation with a budget and a planning horizon.

According to Mandiant and Google Threat Intelligence Group, unit UNC1069 has been officially documented using Google Gemini for operational research, generating personalised lure content targeting specific victims, and writing code. Attack automation at the level of a state actor.

Why Standard Security Advice Does Not Work Here

The conventional advice to ‘not click suspicious links’ is useless in this context. The link looks like Zoom. The domain is visually identical to the real one. The person on the video stream is someone the victim actually knows. The installer is signed with a valid digital certificate stolen from a legitimate company. The antivirus stays silent, because some attackers are not deploying custom malware at all, but repurposed commercial enterprise monitoring software.

“We encounter this attack pattern in investigations regularly. The fundamental difference from classical phishing is that there is no technical exploit. On-chain, the transaction looks entirely legitimate, authorised by the wallet owner. This is precisely why a proper investigation requires not only on-chain tracing but off-chain event reconstruction: the attack timeline, identification of the entry vector, device analysis. Neither is sufficient without the other when it comes to working with law enforcement.” – Ais Dorzhinov, Co-Founder, Match Systems

This is a fundamentally different category of threat: a trust management operation, not a technical exploit. Defense needs to be operational, not only technical.

How To Protect Yourself: What Actually Works

For individual holders and investors, a hardware wallet remains the only reliable barrier even in the event of full device compromise. A seed phrase that never existed on a computer cannot be stolen through malware. A dedicated device used exclusively for crypto operations with no browsing, calls, or file downloads is not paranoia. It is operational hygiene.

The most important single measure: verify through an alternative channel before any unexpected call. If a ‘partner’ messages you on Telegram, call them on the phone number from your address book, not through Telegram. If a ‘recruiter’ sends a Meet link, find the company through Google and contact them directly. One additional verification step closes the majority of attack scenarios.

For companies and teams: isolate corporate wallets from working devices, use multisig with split keys for significant assets, prohibit installation of any ‘meeting software’ outside an approved list. All client updates must come from official websites directly, never through a link in a chat. Regular team briefings with concrete examples of current schemes not as a compliance formality, but as real preparation.

An underestimated organisational measure: if someone in your team or professional network has been compromised, notify all of their contacts immediately. GhostCall-style attacks propagate through trusted networks instantly, and the speed of notification directly affects how many people become the next victims.

If It Has Already Happened: The First Hours Are Everything

The Bybit drain took a few hours. Drift Protocol,12 minutes. Once funds leave the primary wallet, every minute narrows the window for a freeze.

The typical movement pattern for stolen funds in Lazarus operations: immediate withdrawal to intermediate addresses, swaps through DEXs to break the direct on-chain connection, bridging to another network, fragmentation across dozens of intermediate addresses, final withdrawal through OTC operators with weak KYC requirements or conversion to Monero.

Blockchain forensics in these cases enables address attribution through on-chain behavioral patterns, tracing fund movements through bridges and swaps, labeling destination addresses, and sending freeze notifications to exchanges before final withdrawal. It also supports structuring on-chain data for law enforcement requests and legal proceedings. One important limitation to understand: if funds have already been withdrawn through small, unlabeled exchangers, options narrow significantly. This is why speed of response in the first hours is decisive.

If an incident has already occurred, do not spend time on self-analysis. Contact professional firms specialising in cryptocurrency theft investigation and asset recovery.

ShareTweet
Previous Post

How Modern Financial Platforms Secure Real-Time Data Visualisation For UK Traders

Next Post

How Businesses Could Save on Virtual Private Servers Annually

Recent News

malware

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

July 8, 2026
Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

July 8, 2026
Kirsty Fowler, WorkNest Secure

Next Gen Spotlights: Building a More Resilient Future – Q&A with WorkNest Secure

July 8, 2026
Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

July 7, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol