Lazarus, a North Korean state-backed cybercrime group has been linked to a phishing attack that resulted in the theft of a large portion of a former Animoca Brands executive’s crypto holdings.

Mehdi Farooq, now an investment partner at Hypersphere Ventures, revealed that six of his cryptocurrency wallets were emptied after he unknowingly installed a fake Zoom update.

The elaborate scam exploited social trust, professional networks, and video conferencing software to carry out one of the most sophisticated wallet-draining attacks reported this year.

The phishing scheme began with a Telegram message sent to Farooq from someone appearing to be Alex Lin, a known acquaintance. After some back-and-forth, Farooq agreed to a call and shared his Calendly link to schedule a meeting.

The day of the meeting, the same account messaged again, citing compliance reasons to move the conversation to Zoom Business. Farooq was told that another known industry contact, Kent, would be joining the call.

The Zoom meeting appeared legitimate. The participants had their cameras turned on, but no audio could be heard. Instead, a message appeared in the meeting chat explaining there were technical difficulties and requesting Farooq to update his Zoom client.

He complied, and within minutes of installing the file, all six of his crypto wallets were compromised and emptied.

The attackers used malware disguised as a Zoom update to gain access to Farooq’s system.

The communication and social engineering techniques employed align with previous incidents linked to Lazarus Group, a well-known North Korean hacking unit accused of multiple high-value crypto thefts in recent years.

The phishing attack bore several hallmarks of Lazarus operations. These include impersonation of known industry contacts, the use of malware-laced installers, and manipulation of video conferencing platforms.

In this case, the attackers staged a convincing video call while disabling audio, a tactic that may have distracted Farooq from questioning the legitimacy of the situation.

Farooq’s experience comes just weeks after a similar phishing attempt targeted Kenny Li, co-founder of Manta Network. In that case, attackers used identical techniques—fake Zoom calls, impersonated contacts, and malware download prompts.

Li avoided falling victim by suggesting a switch to another communication platform, at which point the attackers disappeared.

Security researchers believe these coordinated attacks indicate Lazarus has refined its methods and increased its focus on exploiting trust between professionals.

The malware used in both incidents closely resembles code used in other Lazarus-attributed attacks, especially the “dangrouspassword” exploit noted by analysts.

The attack on Farooq is part of a growing trend of sophisticated phishing campaigns targeting cryptocurrency executives and developers.

Founders and team members from Mon Protocol, Stably, and Devdock AI have also reported receiving suspicious messages that attempted to lure them into compromised Zoom environments.

On 11 March, Nick Bax from the Security Alliance shared a breakdown of the Lazarus-linked phishing strategy in a post on X, outlining how attackers use genuine social connections, coupled with video conferencing, to install remote access tools and steal crypto assets.

Farooq shared that while the loss was substantial, several whitehat hackers and members of the crypto security community came forward to assist him in tracking down what happened.

Although the stolen funds are yet to be recovered, the incident has underscored the importance of verifying identities across multiple platforms and avoiding external software installations prompted during video calls.

The post Lazarus-linked crypto hack wipes out ex-Animoca executive's life savings appeared first on Invezz