A Full Breakdown of Zoom & Calendly-Based Social Engineering Attacks

In recent months, the cryptocurrency community has seen a surge in cybersecurity breaches. Attackers schedule meetings through@Calendly""> @Calendly and send seemingly legitimate@Zoom""> @Zoom links—only to trick victims into installing trojanized applications. In many cases, hackers gain remote control of the victim’s device during the meeting. Within minutes, wallets are emptied and@Telegram""> @Telegram accounts hijacked.

This article dissects the entire attack chain, shares actionable defense strategies, and includes references for community reposts, internal security training, or personal awareness.

Dual Motives of the Attacker

1. Digital Asset Theft

Hackers deploy malware like Lumma Stealer, RedLine, or IcedID to extract private keys and seed phrases from browser-based or desktop wallets, immediately transferring #TON, #BTC, and other assets.

Sources: Microsoft Security Blog, Flare Threat Intelligence

2. Identity Hijacking

Session cookies from Telegram, Google, and others are stolen to impersonate victims, lure new targets, and trigger a snowball effect of compromise.

Source: d01a Technical Report

The 4-Stage Attack Chain

① Establishing Trust
Attackers pose as investors, media, or podcast hosts, sending formal Calendly invites. In one case, dubbed “ELUSIVE COMET,” attackers mimicked the Bloomberg Crypto site to lend credibility.

Source: Trail of Bits Blog

② Trojan Deployment
Victims are directed to fake Zoom sites (non-*.zoom.us) to download a malicious ZoomInstaller.exe. This has been a common method from 2023–2025 for deploying IcedID or Lumma malware.

Sources: Bitdefender, Microsoft

③ Hijacking During the Meeting
Hackers rename themselves “Zoom” in the meeting and prompt the victim to “test screen sharing,” while simultaneously sending a remote access request. If the victim clicks “Allow,” full system control is granted to the attacker.

Sources: Help Net Security, Dark Reading

④ Exploitation and Lateral Spread
Malware uploads wallet credentials for immediate withdrawal or lies dormant while using Telegram session data (tdata folder) to impersonate victims and phish others.

Source: d01a Technical Report

Emergency Response: 3-Step Protocol

1. Isolate the Device Immediately
   Disconnect from the internet. Reboot using a clean USB and scan the system. If Lumma or RedLine is detected, perform a full disk wipe and reinstall the OS.

2. Revoke All Sessions
   Move crypto assets to a fresh hardware wallet. Log out of all Telegram sessions and enable two-factor authentication (2FA). Change all passwords for emails, exchanges, and important accounts.

3. Monitor the Blockchain & Exchanges
   Watch for suspicious transactions and contact exchanges to freeze compromised addresses when necessary.

Six Golden Rules for Long-Term Protection

• Dedicated Devices for Meetings: Only use backup laptops or phones without private keys for meetings with unknown contacts.
• Official Download Sources Only: Software like Zoom and AnyDesk must be downloaded from their official websites. On macOS, disable “Open safe files after downloading.”
• Strict URL Verification: Only accept meeting links under .zoom.us. Zoom vanity URLs must follow this domain structure.
• The Rule of Three Nos: No plugins, no remote access, no display of seeds or private keys.
• Cold/Hot Wallet Separation: Store major assets in cold wallets with PIN + passphrase. Keep only small amounts in hot wallets.
• 2FA Everywhere: Enable two-factor authentication on all major accounts—Telegram, email, GitHub, exchanges.

Conclusion: The Real Danger Behind Fake Meetings

Modern attackers don’t need zero-day exploits—they rely on flawless social engineering. They create perfectly normal-looking Zoom meetings and patiently wait for a single mistake.

By building habits—using isolated devices, verifying sources, and enforcing multi-layer authentication—you can shut these attacks down before they begin. May every blockchain user stay safe from the traps of engineered trust and keep their vaults and identities secure.

Disclaimer：

1. This article is reprinted from [𝙳𝚛. 𝙰𝚠𝚎𝚜𝚘𝚖𝚎 𝙳𝚘𝚐𝚎]. All copyrights belong to the original author [𝙳𝚛. 𝙰𝚠𝚎𝚜𝚘𝚖𝚎 𝙳𝚘𝚐𝚎]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.