Ex-Animoca exec had his crypto wallets drained after downloading a pretend Zoom replace throughout a phishing assault linked to North Korean hacking group Lazarus.
Mehdi Farooq, an funding companion at Hypersphere and ex-Animoca Manufacturers exec, revealed in a put up on X on Thursday that he misplaced a big portion of his life financial savings in a Zoom hack linked to the North Korean hacking group Lazarus.
The rip-off started when Farooq acquired a Telegram message from Alex Lin, an expert acquaintance. Lin requested to catch up, and Farooq shared his Calendly hyperlink to schedule a name.
The following day, shortly earlier than the assembly, Lin messaged once more, asking to change the decision to Zoom Enterprise “for compliance reasons,” explaining that one in every of his restricted companions, Kent — whom Farooq additionally knew — could be becoming a member of.
The Zoom assembly appeared reliable. Each contributors had their cameras on, however there was no audio. Within the Zoom chat, they stated they have been having technical points and requested Farooq to replace his Zoom consumer. Inside minutes of putting in the pretend replace, six of Farooq’s crypto wallets have been drained.
It was solely afterward that Farooq realized Lin’s account had been hacked. The scheme was later linked to Lazarus, a North Korean state-sponsored hacking group.
“It was surreal and completely violating. But in the darkest moment, whitehat hackers stepped up — complete strangers offering help when I was at my lowest. Turns out I was compromised by DPRK affiliated threat know as dangrouspassword,” wrote Farooq.
This incident echoes a latest phishing try focusing on Manta Community co-founder Kenny Li, who narrowly prevented an analogous destiny. Li recounted that the attackers impersonated recognized contacts throughout a Zoom name, used pretend video feeds, and insisted on a suspicious Zoom replace obtain. Suspecting foul play, Li urged switching communication platforms, prompting the attackers to dam him and erase messages.
Safety analysts say that this assault vector — the place hackers pose as trusted contacts, pretend technical glitches, and push malware disguised as Zoom updates — is a trademark of Lazarus operations and has been used repeatedly to steal tens of millions in crypto.
Different crypto trade leaders, together with founders from Mon Protocol, Stably, and Devdock AI, have reported related phishing makes an attempt, highlighting how widespread and focused these assaults have grow to be.
Nick Bax from the Safety Alliance broke down this rip-off in a March 11 X put up.
