YEREVAN (CoinChapter.com) — Manta Network co-founder Kenny Li said on April 17 that he avoided a phishing attack carried out during a Zoom call. The attacker used real video recordings of known team members to impersonate them. The goal was to convince Li to download a script file.
Li posted on X that the camera feed looked authentic, showing a familiar face. However, there was no audio during the meeting. A message appeared on screen claiming his Zoom required an update, followed by a prompt to download a script file.
“I could see their legit faces. Everything looked very real. But I couldn’t hear them. It said my Zoom needs an update. But it asked me to download a script file. I immediately left,”
Li wrote.
He requested to switch the conversation to Google Meet and asked for a Telegram voice verification. The attacker refused, deleted all messages, and blocked Li.
Kenny Li Connects Zoom Hack to Lazarus Group
The Manta Network executive believes the Lazarus Group was behind the phishing attempt. He explained that the attacker used old footage from previous team calls. The visuals appeared to be standard webcam recordings, not AI-generated.
Li said the hacker impersonated a real team member whose accounts had been compromised. The attack was designed to appear credible by using real video content instead of animated or generated images.
Li managed to capture screenshots before the attacker deleted the messages. In those messages, Li asked to move the conversation to Google Meet instead of downloading the script. The hacker continued to insist on staying on Zoom.
The method used was social engineering, targeting emotional trust and the fast-paced nature of crypto work. The attacker framed the malware download as a routine update, aiming to bypass suspicion.
Li warned others in the crypto space to be cautious of unexpected download requests. He said the most dangerous sign is any file or script download during conversations or meetings.
“The biggest red flag will always be a downloadable. Whether it’s in the form of an update, an attachment, app, or anything else, if you need to download something in order to continue something with the person on the other side, don’t do it,”
Li wrote on X.
His case adds to the list of phishing attacks targeting crypto leaders. Several others shared similar experiences following Li’s post.
Zoom Hack Method Also Reported by ContributionDAO Member
A member of ContributionDAO confirmed they experienced a nearly identical attack. They received a Zoom link and were told to download a version specific to the attacker’s business needs. Even though they had Zoom installed, it did not work during the call.
“They also asked me to download Zoom via their link, and said that it’s only for their business,”
the user said.
“They claimed it had to be a business version that they had registered.”
The attacker rejected the user’s request to switch the call to Google Meet.
This mirrored Li’s experience, where the impersonator insisted on keeping the meeting on Zoom and avoided any platform change or verification.
Same Lazarus Strategy Hits Other Crypto Users
Crypto researcher and X user “Meekdonald” shared that a friend had already fallen victim to the same strategy. The attack followed the same steps: a Zoom invite, no sound, a download prompt, and refusal to switch platforms.
The Lazarus Group has been linked to similar attacks before. In 2024, they were connected to a $1.4 billion Bybit hack. The Manta Network case marks another example of phishing attacks shifting from emails to live meetings.
The attacker’s method used real faces and known platforms like Zoom. Li’s screenshots and the refusal to verify identity added weight to the suspicion.
Kenny Li repeated that any file or software sent during a call should be seen as suspicious. This includes Zoom updates, app installations, or scripts. He said attackers may use real content and pressure tactics during meetings.
The method used against Manta Network shows how phishing attacks are evolving. Instead of fake emails, attackers now rely on compromised accounts and known video content.
Other Lazarus Phishing Events Targeting Crypto
The Lazarus Group has previously used social engineering to breach crypto platforms. In March 2023, cybersecurity firm ESET reported that Lazarus targeted blockchain engineers by posing as recruiters. Victims received fake job offers over LinkedIn and were later tricked into opening infected documents that installed malware.
In another case, SlowMist confirmed that a phishing campaign disguised as a VC funding proposal led to wallet drains. The attackers used realistic email threads, spoofed domains, and cloned websites. Once the target responded, they were pushed to open PDF files containing embedded malware.
In August 2023, Lazarus targeted Ethereum developers via GitHub. The attackers submitted malicious pull requests with seemingly harmless changes. Once merged, the code executed scripts that collected sensitive system data and tried to access wallet files.
The FBI has attributed over $2 billion in crypto thefts to the Lazarus Group since 2017. Most attacks followed the same pattern: building trust through known platforms, using realistic personas, and executing malware through a disguised file or platform.
These incidents reflect a broader pattern. Instead of mass spam, Lazarus uses tailored messages and hijacked identities to carry out attacks. The phishing method seen in the Manta Network case aligns with this ongoing strategy.
