Fake Zoom Meeting Links Lead to Million-Dollar Cryptocurrency Heist

A sophisticated phishing campaign masquerading as Zoom meeting invitations has resulted in the theft of millions in cryptocurrency, as revealed by a recent analysis from blockchain security firm SlowMist. By exploiting users’ trust in commonly used communication platforms, attackers have managed to deploy malware that compromises systems and siphons sensitive data, including cryptocurrency wallets.

The phishing links, designed to mimic legitimate Zoom meeting invitations, directed users to a fraudulent domain, “app[.]us4zoom[.]us”, which closely resembled the genuine Zoom interface. Instead of launching the Zoom client, clicking on the “Launch Meeting” button prompted the download of a malicious installation package named “ZoomApp_v.3.14.dmg.”

According to SlowMist, the site’s backend logs revealed evidence of Russian-language scripts monitoring downloads via the Telegram API. “Since November 14, they have been targeting victims and using the Telegram API to monitor whether anyone clicked the download button on the phishing page,” the report stated.

Once downloaded and executed, the fake Zoom application prompted users to enter their system passwords, a step that facilitated deeper infiltration. The malicious software employed a script named “ZoomApp.file” to execute additional code, ultimately activating a hidden executable file called “.ZoomApp.” This program systematically collected sensitive data, including:

• System information
• Browser data
• Cryptocurrency wallet keys
• Telegram and Notes data
• Cookies and KeyChain passwords

The gathered information was then compressed and sent to a hacker-controlled server located at 141.98.9.20, flagged as malicious by threat intelligence platforms.

Using the MistTrack on-chain tracking tool, SlowMist identified the hacker’s address, 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac, which has amassed over $1 million in stolen funds, including ETH, USD0++, and MORPHO. The stolen assets were swapped for 296 ETH, a portion of which was subsequently laundered through platforms like Binance, Gate.io, and Swapspace.

Interestingly, SlowMist uncovered a supporting address, 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, suspected of acting as a transaction fee provider, transferring small amounts of ETH to nearly 8,800 addresses. These findings connect the phishing operation to broader malicious networks, including tags like “Pink Drainer” and “Angel Drainer.”

SlowMist emphasizes the importance of user vigilance, advising individuals to:

1. Verify meeting links before clicking.
2. Avoid executing unknown files or commands.
3. Regularly update and use reputable antivirus software.
4. Secure cryptocurrency assets with strong, multi-layered defenses.

As the report concludes, “These types of attacks often combine social engineering and Trojan techniques, making users vulnerable to exploitation.” The firm also suggests consulting resources like the Blockchain Dark Forest Selfguard Handbook for comprehensive security tips.

Related Posts:

• Zoom Customers Advised to Update Software to Fix Security Vulnerabilities
• Zoom Phishing Alert: Researcher Identifies New Threat Targeting Microsoft Accounts
• Zoom Issues Security Update Addressing Vulnerabilities in Workplace and SDK Apps
• The Rise of Fake Online Meeting Websites Spreading Android and Windows RATs