A recent report by blockchain security firm SlowMist has uncovered a sophisticated phishing attack disguised as Zoom meeting links. The attackers used malicious software to steal cryptocurrency assets worth millions of dollars, highlighting the growing threat of cybercrime targeting digital assets.‍

The Phishing Attack Unveiled

The phishing scheme employed a domain resembling a legitimate Zoom link, “app[.]us4zoom[.]us,” to deceive users into downloading a malicious installation package named “ZoomApp_v.3.14.dmg.” Once downloaded and executed, the malware prompted users to enter their system password, allowing the hackers to extract sensitive data from the victim's device.

The phishing page closely mimicked Zoom’s interface, with a “Launch Meeting” button that triggered the malicious download. SlowMist’s analysis revealed the attackers used Russian-language scripts and monitored victim activity via the Telegram API.

The malicious program utilized a script that extracted data from the victim’s system, including browser information, cryptocurrency wallet data, and passwords stored in the KeyChain. The malware compressed this data and transmitted it to a hacker-controlled server located in the Netherlands. The server, flagged as malicious by multiple threat intelligence platforms, facilitated the theft of sensitive information, including wallet mnemonic phrases and private keys.‍

Tracing the Stolen Funds

Using its MistTrack on-chain tracking tool, SlowMist analyzed the hackers' cryptocurrency addresses. The primary address profited over $1 million, converting stolen assets like USD0++ and MORPHO into 296 ETH. These funds were subsequently distributed to multiple new addresses and exchanged across platforms such as ChangeNOW, MEXC, and Gate.io.

Further analysis revealed that smaller amounts of ETH were sent to a platform suspected of providing transaction fees to the hacker’s main address. The final destinations of the stolen funds included major platforms like Binance, Bybit, Cryptomus.com, and FixedFloat.

Dynamic analysis of the malware in a virtual environment revealed the extent of its capabilities, including collecting local data and sending it to the attackers’ backend servers. The malware’s execution process highlights the dangerous combination of social engineering and Trojan techniques employed by cybercriminals.

SlowMist’s findings underscore the significant risks posed by phishing attacks to the cryptocurrency ecosystem, with hackers exploiting unsuspecting users through seemingly legitimate communication tools.‍

Preventive Measures and Recommendations

The SlowMist Security Team advises users to exercise caution when clicking on meeting links, especially those that appear unfamiliar. Users should avoid executing unknown software or commands, install and update antivirus software regularly, and remain vigilant against phishing attempts.