Lazarus Group Hacks Crypto Execs via Zoom Calls

Lazarus Group Launders $759K, Targets Executives via Zoom

Rubab Fatima

13 March 2025

Lazarus Group Launders $759K, Targets Executives via Zoom

The North Korea-linked Lazarus Group continues operating its cybercriminal activities and now uses Zoom calls to steal from crypto executives.

The Lazarus Group sent 400 ETH worth around $759,444 into Tornado Cash mixing service on March 13 per blockchain security data by CertiK. CertiK informs everyone to stay alert as they observe this skilled group’s activities regularly.

The Lazarus Group led many of the biggest cryptocurrency cyberattacks ever executed. The Ronin network suffered a major breach in 2022 that stole $624 million while another attack in February 2023 let Lazarus Group steal $1.4 billion from Bybit exchange.

#CertiKInsight 🚨

We have detected deposit of 400 ETH in https://t.co/0lwPdz0OWi on Ethereum from:
0xdB31a812261d599A3fAe74Ac44b1A2d4e5d00901
0xB23D61CeE73b455536EF8F8f8A5BadDf8D5af848.

The fund traces to the Lazarus group's activity on the Bitcoin network.

Stay Vigilant! pic.twitter.com/IHwFwt5uQs

— CertiK Alert (@CertiKAlert) March 13, 2025

New Malware Targets Crypto Developers, Stealing Wallet Information

The crypto world keeps watching for the stolen money movement after the Lazarus Group started cleaning the cryptocurrency crime cash more aggressively. Security professionals focus on a new malware attack that has targeted cryptocurrency developers since multiple months.

The attackers use this malware to steal money and steal information from cryptocurrency wallets MetaMask, Exodus, and Atomic by infecting the NPM supply chain. The Lazarus Group now targets crypto company founders in their illegal operations.

The criminal hackers use Zoom meetings as a fake method to acquire digital money and sensitive private information. According to Nick Bax from the Security Alliance a cybersecurity expert the attackers position themselves as legitimate business partners then fakes technical problems during their meeting.

The video shows a bland venture capitalist on screen while requesting the user to click on a fraudulent link sent through a call. The user’s click starts malware installation automatically on their device.

The method described by Bax has led to the theft of tens of millions through numerous groups that copy his approach. The expert says he sees more organized threats of this kind because the group uses advanced technical methods.

Although the hackers’ true identity remains unknown multiple signs indicate that the Lazarus Group performed these attacks. Chainalysis research shows North Korean-linked hacker groups lead the field in crypto theft because of their skilled techniques and unstoppable resourcefulness.

Lazarus Group Behind $1.34 Billion in Crypto Theft in 2024

Groups of digital thieves stole $1.34 billion through 47 separate thefts in 2024 which made up 61% of all global criminal crypto thefts that year. MON Protocol Pixelmon CEO Giulio Xiloyannis explained his own experience when the attack occurred. After getting a risky Zoom link Xiloyannis installed malware onto his system.

He successfully spotted the online scam indicators as he noticed the unscheduled browser-based Zoom meeting followed by the need to enter terminal code. Because he stayed alert the attack failed to harm him. Several more crypto business leaders including Melbin Thomas, David Zhang and Christoph Mussenbrock experienced hackers trying to enter their systems through the Zoom scam.

Another day another North Korean scammer
This time using the same "fake Zoom" scam that's been popular recently
I'll detail what happened to me in this 🧵 pic.twitter.com/X5UZAKJjR0

— David Zhang (▲) (@dazhengzhang) March 12, 2025

The Lazarus Group continues its successful cyber operations and shows no plans to stop. Expert analysts predict that North Korean hackers push the limits with advanced crypto heists and scams to fund foreign operations despite international bans.

According to Tom Robinson of Elliptic crypto investigation firm North Korea leads worldwide efforts to launder stolen digital assets. When cryptocurrency players see this level of advanced attacks they must develop strong defenses to shield against theft.

The crypto industry keeps encountering sophisticated cyberattacks by the Lazarus Group who improves their strategies to steal cryptocurrency assets.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	session	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
spcsrf	2 hours	This cookie is used for ensuring the security of the website and visitors. This cookie ensures visitor browsing security by preventing cross-site request forgery.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
_wpfuuid	11 years	This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.

Cookie	Duration	Description
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
SPSI	session	This cookie is used for setting a unique ID for the session and it collects user behaviour on the website during the session. This collected information is used for statistical purposes.
user_id	10 years 2 months 6 days	This cookie is used for identifying the user. It helps to keep track of the visitor profile for future sessions and for customizing their experience.
_dc_gtm_UA-127046568-1	1 minute	This is a Google Tag Manager cookie that is used to control the loading of a Google Analytics script tag, to track the performance of ad campaigns.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_8Z4LPYV357	2 years	This cookie is installed by Google Analytics.
_ga_HJEQGVMT2D	2 years	This cookie is installed by Google Analytics.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
__qca	session	The __qca cookie is associated with Quantcast. This anonymous data helps us to better understand users' needs and customize the website accordingly.

Cookie	Duration	Description
adOtr	session	No description available.
BiggerBuyAmount_ABvariant	1 month	No description
clear_confirm_ABvariant	1 month	No description
ipcountry	1 month	No description
livechat_delay	1 month	No description
ppwp_wp_session	30 minutes	No description
PRLST	session	No description available.
progress_bar_ABvariant	1 month	No description
SPSE	session	No description available.
sp_lit	5 minutes	No description available.
time	session	No description available.
UTGv2	5 months 27 days	No description available.
WTP_AB_variant	6 months 3 days	No description
_dlt	1 day	No description
__zrtbanner49	3 months	No description

Lazarus Group Launders $759K, Targets Executives via Zoom

New Malware Targets Crypto Developers, Stealing Wallet Information

Lazarus Group Behind $1.34 Billion in Crypto Theft in 2024

LEAVE A REPLY

ABOUT US

FOLLOW US