Manta Network co-founder Kenny Li narrowly escaped a Zoom phishing attack, suspected to be orchestrated by Lazarus. In his April 17 X post , Kenny Li said that he had been targeted by Lazarus in a Zoom meeting. It started with a known contact asking Li for a chat via Zoom. When Li got on Zoom, the meeting looked legitimate, with the other party having their camera on and their face visible. However, there was no audio on the call, and Li was prompted to download a suspicious script file under the guise of a Zoom update. 🚨 Just got targeted by Lazarus. A known contact on TG reached out to me to ask for a chat. Scheduled a Zoom call. When I got on the Zoom, it asked me for camera access which I found a bit odd because I have used Zoom many times. Even crazier, the team members had their… — 🤓Kenny.manta (@superanonymousk) April 17, 2025 Suspecting something was off, Li tried to verify the participant’s identity by suggesting they switch to Google Meet or speak on Telegram. The impersonator refused, then quickly deleted all messages and blocked him. Li later confirmed that the real person whose identity was used in the video call had their accounts compromised by Lazarus. You might also like: Crypto firm CLS Global sanctioned in FBI’s ‘Token Mirrors’ sting op This isn’t the first time Lazarus has used Zoom as a phishing vector. Nick Bax from the Security Alliance highlighted this scam in a March 11 X post . He explained that it usually starts with a few “VCs” on the call, who claim to have audio issues and claim the victim cannot hear them. If the victim falls for it, they’re directed to a new Zoom room via a fake link, where they’re prompted to download a “patch” to resolve the audio/video problem. Bax noted that this method has been used by threat groups to steal millions of dollars, and other hackers are now replicating these tactics. Having audio issues on your Zoom call? That's not a VC, it's North Korean hackers. Fortunately, this founder realized what was going on. The call starts with a few "VCs" on the call. They send messages in the chat saying they can't hear your audio, or suggesting there's an… pic.twitter.com/ZnW8Mtof4F — Nick Bax.eth (@bax1337) March 11, 2025 In the thread, several crypto founders shared similar experiences to Kenny Li of Manta Network (MANTA), recounting how they too narrowly avoided falling victim to these Zoom phishing scams. Giulio Xiloyannis, co-founder of the blockchain gaming firm Mon Protocol, recounted an attempted scam where the hacker posed as the project lead from Story Protocol ( IP ) to lure him and his marketing lead into a fake meeting. The deception became clear when he was abruptly asked to join a new Zoom link that faked audio issues in an attempt to get him to download malware. This happened to me and @NFTVai today. The project lead was disguised as a Story Protocol project ( https://t.co/jfQ2VunSmd ) for IP usage and rev sharing (very good fit with @Pixelmon business model and my past investments), at the last minute they asked us to use a ZOOM link and… https://t.co/SVQHxC1kaU pic.twitter.com/LxINrif6Zk — GiulioX🐉 $MON (@GiulioXdotEth) March 12, 2025 David Zhang, co-founder of the stablecoin platform Stably, also faced a similar attack. Initially, the scammers joined his Google Meet call but then fabricated a reason to switch to a different meeting link. Zhang took the call on his tablet, which may have prevented the malware from functioning properly. He suspects the phishing attempt was designed to identify the user’s operating system and adapt accordingly, but the setup wasn’t optimized for mobile devices. Melbin Thomas, founder of Devdock AI, also fell victim to the Zoom scam but didn’t enter his password during the fake installation process. Then, he went offline and did a factory reset. However, he’s still not sure whether the files are safe, as he transferred them to a hard drive that hasn’t been reconnected to his system. The same thing happened to me. But didnt give my password while the install was happening. Disconnecte my laptop and I reset to factory settings. But transferred my files to a hard drive. I have not connected the hard drive back to my laptop. Is it still infected? @_SEAL_Org — Melbin (melbin.eth) (@melbint04) March 12, 2025 This surge in attacks follows a joint warning from the US, Japan, and South Korea in January about the increasing threat of the Lazarus Group targeting the crypto industry. The Lazarus Group, known for its involvement in high-profile cyber thefts like the Bybit and Ronin network hacks, is suspected to be behind these attacks. You might also like: North Korean IT workers ramp up infiltration of tech and crypto firms across Europe
