In the high-stakes ecosystem of Web3 and venture capital, receiving a meeting request from a VC, a recruiter, or a journalist is routine. However, a highly sophisticated social engineering campaign—largely attributed to DPRK-linked threat actors—is turning these “discovery calls” into a fast track to total system compromise.
The lure is simple: “Let’s jump on a call.” The technical hook is more subtle: “Our company uses a custom, high-security AI Video Conferencing tool for security. Please download the client here.”
If you click that link, you aren’t joining a meeting. You are detonating a Remote Access Trojan (RAT).
The Modus Operandi: Social Engineering at its Finest
These attackers do not just send cold links; they build rapport over days or weeks. They impersonate recruiters from established firms, CTOs of emerging DeFi projects, or journalists looking to “profile your project.” Their goal is to bypass your skepticism through professional intimacy.
High-Risk Attack Profiles
- Developers: Targeted with “take-home technical tasks” or collaborative “code reviews.”
- VCs and Founders: Lured with “investment opportunities” or exclusive “pitch meetings.”
- C-Suite Executives: High-value targets for corporate espionage and data exfiltration.
- Crypto Whales: The ultimate prize for immediate financial drain through crypto scamming.
The “No Sound” Trick: A Psychological Exploit
One of the most effective tactics used to induce panic is the “No Sound” trick. Upon joining a legitimate-looking web interface, your audio fails to work. The “support” person on the other end immediately sends a link to an “SDK Update” or a “Sound Fixer” to resolve the issue.
In the rush to remain professional during a high-stakes meeting, the user downloads the file. This is the moment of infection. This crypto scam relies on “pretexting”—creating a fabricated scenario where the victim feels compelled to bypass security protocols to save the meeting.
Deep Dive: How the Malware Compromises Your System
Once the malicious file is executed, standard browser phishing protection is usually insufficient. The payload (typically .exe files for Windows or .app for macOS) performs the following technical actions:
- System Persistence: The RAT installs itself deep within the operating system, ensuring it restarts even after a reboot.
- Credential Harvesting: It scans for session cookies, saved passwords, and locally stored seed phrases or private keys.
- Wallet Interaction: Advanced versions can intercept the clipboard, replacing your intended deposit address with the attacker’s.
According to research by Chainalysis, social engineering remains one of the primary drivers of cryptocurrency theft, with billions lost annually to sophisticated state-sponsored actors.
Indicators of Compromise (IOCs)
Prevention begins with identification. Below is a list of detected domains that are part of this attack infrastructure. If you see these links in an invitation, terminate communication immediately:
zoom-download[.]idzoom-meeting[.]topzoommymoney[.]comzoomnoticiasoficial[.]comzoomov-incoming-call[.]pages[.]devzoompa-app[.]cfdzoomrecording[.]uszoomsetupmeetings[.]onlinezoomsmeetingsetup[.]vipzoomus-install[.]com
Note: This is a partial list. Attackers rotate domains constantly to evade basic detection.
5 Warning Signs of a Fake Call Scam
To maintain your brand security and asset integrity, watch for these red flags:
- Proprietary Platforms: Requests to use tools that are not industry standards (Official Zoom, Google Meet, Teams).
- Forced Downloads: Any “update” or “driver” required just to join a browser-based call.
- Unusual Domains: Links originating from
zoom-support-us.cominstead of the officialzoom.us. - Sense of Urgency: Constant pressure to fix the “technical issue” quickly.
- Unsolicited Outreach: High-profile individuals contacting you via Telegram or Discord without a mutual connection.
Helping You Understand
Can a hardware wallet protect me from this attack?
While a hardware wallet is a critical layer of phishing protection, it is not a silver bullet against a RAT. If an attacker has remote access to your computer, they can wait for you to connect your wallet or use “address poisoning” techniques to trick you into signing a malicious transaction.
How can I report a crypto scam website?
If you encounter a suspicious link, report it immediately to brand protection services like Phishfort. It is also vital to notify the FBI’s Internet Crime Complaint Center IC3 to help track these global threat actors.
Strengthening Your Digital Risk Protection
At Phishfort, we specialize in fake website protection and domain takedowns. In an era where “Human-in-the-Loop” attacks are becoming the norm, automated security is no longer enough. You need proactive monitoring that identifies impersonation attempts before they reach your inbox.
For a blind spot as vast as the internet, we are your eyes. Contact us for more information about our protection services.
Table of Contents
