News 
April 18, 2025 
4 min. 
Kenny Li, Manta Network co-founder, recently dodged a sophisticated phishing attempt believed to be carried out by North Korea’s Lazarus Group.
On April 17, Li revealed on X (formerly Twitter) that he had been targeted through a Zoom meeting. The attack began when a familiar contact invited him to chat over Zoom. Once inside the call, the setup seemed legitimate: the person had their camera on and appeared recognizable.
However, the audio didn’t work, and soon Li was prompted to download a suspicious script file disguised as a Zoom update.
Sensing something was off, he asked to continue the conversation on Google Meet or Telegram. The impersonator refused, deleted all chat history, and immediately blocked him. Li later confirmed that the real person had been hacked and their identity was used to stage the attack.
Zoom Scams Becoming a Pattern
This isn’t the first time Lazarus has used Zoom as a phishing tool. On March 11, Nick Bax of the Security Alliance posted a similar warning on X. He explained that attackers often pose as venture capitalists (VCs) and complain of audio issues. Then, they redirect victims to a fake Zoom room and push them to install a malicious “patch.”
This method has reportedly helped attackers steal millions in crypto, and now others are copying it.
“Having audio issues on your Zoom call? That’s not a VC, it’s likely North Korean hackers,” Bax warned.
Kenny Li is not alone. Other crypto founders have faced nearly identical scams in recent weeks.
Giulio Xiloyannis, co-founder of Mon Protocol, recounted how a scammer posed as a lead from Story Protocol. The attacker invited him and his marketing lead to a meeting, only to abruptly switch to a fake Zoom link with audio issues. Their real goal was malware installation.
David Zhang, co-founder of stablecoin platform Stably, faced a similar ploy. Although the meeting started on Google Meet, scammers tried to switch him to Zoom. Luckily, Zhang joined from a tablet, which may have blocked the malware from running effectively.
Melbin Thomas, founder of Devdock AI, was also targeted. He began installing the fake update but didn’t enter his password. He then disconnected his laptop, performed a factory reset, and moved his files to an external hard drive. Still unsure of the damage, he has yet to reconnect it.
“I haven’t plugged the hard drive back in. Not sure if it’s infected,” Thomas noted.
Ongoing Threat to Crypto Industry
These attacks come on the heels of a joint warning from the US, Japan, and South Korea in January. Authorities identified the Lazarus Group as an increasing threat to the crypto sector.
With past ties to massive breaches (including the Ronin and Bybit hacks), Lazarus continues to evolve its methods. For founders and crypto professionals, even a routine video call can now be a trap. Staying vigilant is more important than ever.
