Crypto scammers are up to no good again, and their latest weapon appears to be malicious links to a webpage that looks and feels almost exactly like the video conferencing platform Zoom, which prompts users to install malware when clicked.

On July 22, non-fungible token collector and cybersecurity engineer “NFT_Dreww” alerted X users to a new “extremely sophisticated” crypto scam involving fake links for Zoom.

Malicious Zoom link. Source: NFT_Dreww

Drew said the scammers have already stolen $300,000 worth of crypto from the method.

How the scam works

Like many social engineering scams, Drew explained that scammers typically target non-fungible token (NFT holders or crypto whales, asking if they would be interested in licensing their intellectual property, inviting them to Twitter Spaces, or asking them to join a team for a new project.

The scammers will insist on using Zoom and hurry the target to join a meeting in progress using a hard-to-notice malicious link.

Comparing the malicious domain with the genuine one. Source: NFT_Dreww
“It's extremely easy to fall for this... I doubt 80% of people verify each character in a link that's sent, especially a Zoom link.”

Once the link is clicked, the user will be met with a “stuck” page showing an infinite loading screen. The page will then prompt the user to download and install ZoomInstallerFull.exe, which is actually malware.

Screenshot of malware being installed. Source: any.run

Once installed, the page will redirect back to the official Zoom platform, making the user believe it worked, but by then, the malware has already infiltrated the target computer and stolen the data and loot, explained Drew.

According to technologist “Cipher0091,” whom Drew also credits for his X thread, when the malware is first executed, it adds itself to the Windows Defender exclusion list to prevent antivirus systems from blocking it.

“Then it begins executing and extracting all your information while the software is distracting you with the “spinning loading page” and going through the process of accepting T&Cs, etc,” explained Drew.

He added that the scammers will keep changing domain names to prevent them from being flagged, and this was their fifth domain so far for this scam.

Social engineering crypto scams are not new, but they do keep evolving. Several crypto community members have reported receiving malicious emails this week from scammers impersonating other crypto influencers and executives.

The email contains a malicious attachment that will likely install crypto-stealing malware if executed.