A sophisticated cybercrime campaign, dubbed Elusive Comet, has been uncovered, in which North Korean threat actors are exploiting Zoom's remote control feature to infiltrate the systems of cryptocurrency professionals. This attack represents a notable shift in tactics used by cybercriminals targeting the cryptocurrency sector and highlights the risks posed by commonly used communication tools like Zoom.
The research behind the discovery was released by Security Alliance, which tracked and analyzed the campaign. While the attack shares similarities with operations previously associated with North Korea's Lazarus Group, the exact attribution remains unconfirmed, complicating efforts to definitively identify the perpetrators.
The Elusive Comet campaign begins with cybercriminals impersonating venture capitalists, media representatives, or business partners to lure cryptocurrency professionals into Zoom meetings. The attackers craft a compelling ruse, often posing as individuals looking to interview the victim for a podcast or media feature. Victims are sent unsolicited invitations to join Zoom calls, often via links in phishing emails or messages. Once the victim accepts the invitation, the attackers ask for remote control access to the individual's computer under the guise of technical support or presentation assistance.
Zoom's remote control feature, part of the platform's accessibility suite, allows one participant to take control of another's screen with explicit permission. In this attack, the cybercriminals manipulate the victim into granting them remote control by changing their Zoom display name to "Zoom," creating a false sense of legitimacy. Once control is granted, the attacker can secretly install malware, including infostealers and remote access trojans (RATs), onto the victim's machine. The malware then exfiltrates sensitive data, including cryptocurrency wallet credentials, personal information, and private keys.
This attack's success hinges on the victim trusting the Zoom platform and believing that the remote control request is a legitimate prompt from the system. Once the attacker has control, they can not only steal sensitive information but also manipulate the victim's actions, making it harder to detect malicious activity.
Jake Gallen, the CEO of Emblem Vault, a cryptocurrency-related business, fell victim to the Elusive Comet campaign. He lost more than $100,000 in digital assets after agreeing to a Zoom interview with an individual posing as a media personality. During the interview, the attacker requested remote control access to Gallen's computer, which was subsequently granted. The malware, identified as "GOOPDATE," was installed, allowing the attacker to access Gallen's cryptocurrency wallets and drain the funds.
This incident highlights the critical vulnerability in cryptocurrency communities, where high-net-worth individuals or executives may be more prone to social engineering attacks due to the high volume of media and investor engagement they handle. The loss of such funds also emphasizes the value of increasing awareness about cybersecurity hygiene among cryptocurrency professionals.
The Elusive Comet campaign was first tracked and reported by Security Alliance, a cybersecurity research and advisory firm that specializes in investigating advanced persistent threats (APTs). In its March 2025 report, Security Alliance provided detailed insight into the tactics, techniques, and procedures (TTPs) used by the attackers.
According to Security Alliance's findings, the campaign relied on social engineering and Zoom's remote control feature to infect targets with malware. The researchers emphasized the sophistication of the attack, noting that it specifically targeted cryptocurrency professionals and executives.
While the research from Security Alliance highlighted the potential involvement of North Korean hackers, including similarities with previous Lazarus Group operations, they stopped short of officially attributing the campaign to Lazarus. This reflects the challenges of attribution in cybercrime investigations, where multiple groups may employ similar tactics or share tools.
Although the attack bears similarities to operations attributed to Lazarus in the past—such as the use of social engineering, malware, and targeting of cryptocurrency assets—no official attribution has been made. Attribution in cyberattacks is difficult, as threat actors often take steps to obscure their identities, such as using compromised infrastructure, false flags, or anonymizing technologies. As a result, while many cybersecurity professionals suspect the involvement of Lazarus due to the nature of the attack, the lack of concrete evidence means the attribution remains speculative at this point.
The Lazarus Group is believed to be a state-sponsored hacking collective operated by the North Korean government. This group has been responsible for some of the most high-profile cyberattacks in recent history, including the Sony Pictures hack in 2014 and the 2017 WannaCry ransomware outbreak. Lazarus is also behind significant cryptocurrency heists, such as the $1.5 billion hack of the Bybit exchange in February 2025.
[RELATED: Bybit Hack: FBI Attributes to North Korea, Urges Crypto Sector to Act]
Their primary targets have been organizations and financial institutions with ties to cryptocurrencies, as these digital assets present an attractive avenue for evading international sanctions. The group's operations often use sophisticated social engineering, spear-phishing campaigns, and custom malware to infiltrate systems and steal funds.
Given the tactics employed in the Elusive Comet campaign, cryptocurrency professionals should take several steps to mitigate the risk of falling victim to similar attacks.
Disable Zoom's remote control feature by default: Ensure that the remote control feature in Zoom is disabled unless absolutely necessary. This limits the attack surface available to cybercriminals attempting to hijack remote sessions.
Exercise caution with unsolicited invitations: Always verify the identity of the person requesting the meeting and be cautious of unsolicited invitations, especially those from unfamiliar sources.
Implement Strong Authentication Measures: Multi-factor authentication (MFA) should be enabled for all cryptocurrency-related accounts, particularly those involving wallets and exchange platforms. This adds an additional layer of protection in the event of credential theft.
Endpoint protection and software updates: Use comprehensive endpoint protection software to detect and block malicious activity. Additionally, ensure that all systems, especially Zoom, are kept up to date to avoid exploitation of known vulnerabilities.
Educate and train employees and partners: Conduct regular cybersecurity awareness training for employees, partners, and stakeholders to ensure that everyone involved understands the risks of social engineering and knows how to spot phishing attempts.
The Elusive Comet attack highlights a growing concern within the cryptocurrency sector as cybercriminals are increasingly leveraging trusted communication platforms to execute sophisticated attacks. While the tactics used bear similarities to the operations of North Korea's Lazarus Group, the official attribution remains unconfirmed, and this caution serves as a reminder of the complexities surrounding cybercrime attribution.
For cryptocurrency professionals, this attack is a valuable lesson in the importance of vigilance, proper security protocols, and proactive defense strategies to combat an ever-evolving threat landscape. As threat actors continue to innovate, only the most well-prepared will be able to effectively defend against these emerging threats.
Follow SecureWorld News for more stories related to cybersecurity.