Ex-Animoca exec loses life savings in Zoom hack tied to Lazarus
Ex-Animoca exec had his crypto wallets drained after downloading a fake Zoom update during a phishing attack linked to North Korean hacking group Lazarus.
Mehdi Farooq, an investment partner at Hypersphere and ex-Animoca Brands exec, revealed in a post on X on Thursday that he lost a large portion of his life savings in a Zoom hack linked to the North Korean hacking group Lazarus.
The scam began when Farooq received a Telegram message from Alex Lin, a professional acquaintance. Lin asked to catch up, and Farooq shared his Calendly link to schedule a call.
The next day, shortly before the meeting, Lin messaged again, asking to switch the call to Zoom Business “for compliance reasons,” explaining that one of his limited partners, Kent — whom Farooq also knew — would be joining.
The Zoom meeting appeared legitimate. Both participants had their cameras on, but there was no audio. In the Zoom chat, they said they were having technical issues and asked Farooq to update his Zoom client. Within minutes of installing the fake update, six of Farooq’s crypto wallets were drained.
It was only afterward that Farooq realized Lin’s account had been hacked. The scheme was later linked to Lazarus, a North Korean state-sponsored hacking group.
“It was surreal and completely violating. But in the darkest moment, whitehat hackers stepped up — complete strangers offering help when I was at my lowest. Turns out I was compromised by DPRK affiliated threat know as dangrouspassword,” wrote Farooq.
This incident echoes a recent phishing attempt targeting Manta Network co-founder Kenny Li, who narrowly avoided a similar fate. Li recounted that the attackers impersonated known contacts during a Zoom call, used fake video feeds, and insisted on a suspicious Zoom update download. Suspecting foul play, Li suggested switching communication platforms, prompting the attackers to block him and erase messages.
Security analysts say that this attack vector — where hackers pose as trusted contacts, fake technical glitches, and push malware disguised as Zoom updates — is a hallmark of Lazarus operations and has been used repeatedly to steal millions in crypto.
Other crypto industry leaders, including founders from Mon Protocol, Stably, and Devdock AI, have reported similar phishing attempts, highlighting how widespread and targeted these attacks have become.
Nick Bax from the Security Alliance broke down this scam in a March 11 X post.
