Author: Dr. Awesome Doge
Recently, the cryptocurrency community has been frequently experiencing cybersecurity disasters. Attackers schedule meetings through Calendly, sending seemingly normal "Zoom links" to lure victims into installing disguised Trojan programs, even gaining remote computer control during meetings. Overnight, wallets and Telegram accounts are completely taken over.
This article will comprehensively analyze the attack chain and defense points of such attacks, with complete reference materials for community reposting, internal training, or self-checking.
Attackers' Dual Objectives
Digital Asset Theft
Using malware like Lumma Stealer, RedLine, or IcedID to directly steal private keys and Seed Phrase from browser or desktop wallets, quickly transferring cryptocurrencies such as TON and BTC.
References:
Microsoft Official Blog
Flare Threat Intelligence
https://flare.io/learn/resources/blog/redline-stealer-malware/
Identity Credential Theft
Stealing Telegram and Google Session Cookies to impersonate victims and continuously spread to more victims, forming a snowball effect.
References:
d01a Analysis Report
https://d01a.github.io/redline/
Four-Step Attack Chain
① Building Trust
Impersonating investors, media, or podcasts by sending formal meeting invitations through Calendly. For example, in the "ELUSIVE COMET" case, attackers disguised themselves as a Bloomberg Crypto page to conduct fraud.
References:
Trail of Bits Blog
https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/
② Trojan Deployment
Mimicking Zoom URLs (non .zoom.us) to guide downloading malicious versions of ZoomInstaller.exe. Multiple incidents between 2023-2025 used this method to deploy IcedID or Lumma.
References:
Bitdefender
https://www.bitdefender.com/en-us/blog/hotforsecurity/hackers-used-modified-zoom-installer-and-phishing-campaign-to-deploy-trojan-banker-2、Microsofthttps://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/
③ Seizing Control During Meeting
Hackers change their nickname to "Zoom" in the Zoom meeting, asking victims to "test screen sharing" while simultaneously sending a remote control request. Once the victim clicks "allow", they are fully compromised.
References:
Help Net Security
https://www.helpnetsecurity.com/2025/04/18/zoom-remote-control-attack/
DarkReading
https://www.darkreading.com/remote-workforce/elusive-comet-zoom-victims
④ Spread and Cash Out
Malware uploads private keys, immediately withdraws funds, or lurks for days to phish others using stolen Telegram identity. RedLine is specifically designed to target Telegram's tdata directory.
References:
d01a Analysis Report
https://d01a.github.io/redline/
Three-Step Emergency Response
Immediately Isolate Device
Unplug ethernet, turn off Wi-Fi, boot with a clean USB for scanning; if RedLine/Lumma is discovered, full disk formatting and reinstallation is recommended.
Revoke All Sessions
Transfer cryptocurrencies to a new hardware wallet; log out of all Telegram devices and enable two-step verification; change all email and exchange passwords.
Synchronize Blockchain and Exchange Monitoring
When detecting abnormal transfers, immediately contact the exchange to request freezing suspicious addresses.
Six Long-Term Defense Principles
Separate Meeting Devices: Use a spare laptop or phone without private keys for unfamiliar meetings.
Download from Official Sources: Zoom, AnyDesk, and similar software must be from original manufacturer websites; macOS users should disable "automatically open after download".
Strictly Verify URLs: Meeting links must be .zoom.us; Zoom Vanity URLs also follow this standard (official guide https://support.zoom.us/hc/en-us/articles/215062646-Guidelines-for-Vanity-URL-requests)。
Three "No" Principles: No plugins, no remote access, do not display Seed/private keys.
Cold and Hot Wallet Separation: Store main assets in a cold wallet with PIN + Passphrase; keep only small amounts in hot wallet.
Enable 2FA for All Accounts: Comprehensive two-factor authentication for Telegram, Email, GitHub, and exchanges.
Conclusion: The Real Danger of Fake Meetings
Modern hackers don't rely on zero-day vulnerabilities but on excellent acting skills. They design "seemingly normal" Zoom meetings, waiting for your mistake.
As long as you develop habits: device isolation, official sources, multi-layer verification, these methods will no longer have opportunities. May every blockchain user stay away from social engineering traps and protect their vault and identity.
