A sophisticated phishing scam targeting cryptocurrency users through fake Zoom meetings has been detected by the blockchain security firm SlowMist. This deceit involves malicious actors utilizing counterfeit Zoom links to distribute malware, specifically aimed at extracting cryptocurrency assets. The attackers have employed advanced tactics to compromise sensitive information such as private keys and wallet data, leading to significant financial losses for users. The fraudulent scheme operated using a mimic domain, “app[.]us4zoom[.]us,” closely resembling a legitimate Zoom domain, as reported by SlowMist on December 27.
Victims were deceived into clicking a “Launch Meeting” button that, instead of accessing the Zoom application, triggered the download of a malicious file named “ZoomApp_v.3.14.dmg.” This package executed a script which prompted users to provide their system password. SlowMist found that this script called upon a hidden executable, “.ZoomApp,” designed to access system information, browser cookies, KeyChain data, and cryptocurrency wallet credentials. The compromised data was transferred to a server under the hackers’ control, linked to an IP address flagged as malicious by numerous threat intelligence sources.
The malware, identified as a Trojan, underwent static and dynamic analysis, revealing its capability to decrypt data and extract stored credentials on the victim’s device, including wallet mnemonic phrases and private keys. This allowed the hackers to siphon significant amounts of cryptocurrency. The backend system used for this operation was located in the Netherlands and appeared to employ Russian-language scripts, using the Telegram API to track victim interactions. The phishing campaign, which commenced on November 14, 2024, has already barred millions of dollars in crypto.
In tracing the illicit activities on the Ethereum blockchain, SlowMist utilized an anti-money laundering tool, MistTrack, to follow the movement of stolen funds. A revealed address showed conversions of cryptocurrencies USD0++ and MORPHO into 296 Ethereum (ETH), later traded across platforms such as Binance, Gate.io, Bybit, and MEXC. A secondary address was used for minor ETH transfers, paying for transaction fees involving 8,800 addresses.
The analysis provided by SlowMist included a visual depiction of the stolen Ethereum, revealing the transaction pathways between various wallets and exchanges, illustrating its conversion into Tether (USDT) and other cryptocurrencies. This detailed mapping highlights the strategic distribution and laundering of the stolen funds across multiple sites.