Phishing Attack Used Real Faces, Script Download Prompt on Zoom

Kenny Li, co-founder of the privacy-focused blockchain Manta Network, says he narrowly avoided a highly advanced phishing attack via Zoom, which he believes was orchestrated by the North Korean state-backed Lazarus Group.

In an April 17 post on X, Li recounted joining a scheduled Zoom meeting where the attacker appeared to be a known contact with their webcam turned on, but offered no audio and asked him to download a script file for a supposed Zoom update.

“I could see their legit faces. Everything looked very real. But I couldn’t hear them,” Li explained.
“It said my Zoom needs an update. But it asked me to download a script file. I immediately left.”

🚨 Just got targeted by Lazarus.

A known contact on TG reached out to me to ask for a chat. Scheduled a Zoom call. When I got on the Zoom, it asked me for camera access which I found a bit odd because I have used Zoom many times.

Even crazier, the team members had their…

— 🤓Kenny.manta (@superanonymousk) April 17, 2025

Li said the attacker refused to verify their identity via Telegram call, then deleted all messages and blocked him after he requested the call be moved to Google Meet.

Recorded Footage, Not Deepfakes

In an interview with Cointelegraph, Li clarified that the video feed appeared to use real webcam footage from prior recordings of the actual person, as the quality did not resemble AI-generated deepfakes.

“It didn’t seem AI-generated. The quality looked like what a typical webcam looks like,” Li said.

Li later confirmed that the real accounts of the impersonated individual had been compromised, likely granting the hackers access to past recordings and calendars, which were used to add realism to the attack.

“Never Download Anything” — Li Warns Crypto Industry

Li used the opportunity to warn others in the crypto and Web3 space, who often receive impromptu meeting requests and unknown file links, to remain extremely cautious.

“The biggest red flag will always be a downloadable,” Li emphasized.
“Whether it’s an update, attachment, or app — if you need to download something to continue the meeting, don’t do it.”

He explained that these attacks exploit emotional familiarity and executive fatigue, making even security-savvy founders vulnerable to social engineering.

More Victims Report Similar Attacks

Li’s experience appears to be part of a wider attack campaign targeting individuals in the crypto community.

A member of ContributionDAO reported a near-identical phishing attempt. They were told to download a special version of Zoom for “business use” via an external link, despite already having the app installed. When they suggested switching to Google Meet, the attacker refused.

“They claimed it had to be their registered business version,” the user recalled.

Crypto researcher @Meekdonald on X said that a friend of theirs fell victim to the same ploy — further suggesting the attack may be part of a coordinated campaign targeting crypto founders, researchers, and project contributors.

Final Thoughts: Social Engineering Gets a Sophisticated Upgrade

The attempted hack on Kenny Li is a stark reminder that the Lazarus Group’s tactics are evolving, combining technical knowledge with psychological manipulation to target high-value individuals in the crypto sector.

As the industry matures, attackers are no longer relying on spammy emails or obvious scams. Instead, they’re weaponizing trust, using real faces, real names, and real meeting platforms to trick insiders into lowering their defenses.

For those working in crypto, the new rule of thumb may be simple: If a video call asks you to download something — hang up.