Manta Network Founder Avoids Lazarus Group Zoom Hack Using Deepfake and Malware Tactic

Key Takeaways:

• Sophisticated Zoom hack impersonated real team members using live footage
• The attackers attempted to deliver malware via a script disguised as a Zoom update
• Lazarus Group, North Korea-linked hackers, is suspected of being behind the attempt

Manta Network co-founder Kenny Li recently revealed a detailed account of a failed hacking attempt through Zoom. The attack used realistic visuals of known team members and attempted to lure him into downloading a malicious script. Li’s awareness and quick response prevented what could have been a major security breach in the crypto space.

Lazarus Group Suspected in Zoom-Based Phishing Attempt

Real Faces, Fake Intentions

Kenny Li, co-founder of Manta Network, encountered what he described as one of the most convincing phishing attempts he had ever seen. According to Li, the attackers joined a scheduled Zoom call using what appeared to be real-time video of familiar individuals from the crypto space. The camera was on, the background looked authentic, and the visuals seemed natural—making the session feel completely genuine.

🚨 Just got targeted by Lazarus.

A known contact on TG reached out to me to ask for a chat. Scheduled a Zoom call. When I got on the Zoom, it asked me for camera access which I found a bit odd because I have used Zoom many times.

Even crazier, the team members had their…

— 🤓Kenny.manta (@superanonymousk) April 17, 2025

However, the absence of any audio raised suspicion. Shortly after, Li received a prompt suggesting his Zoom needed an update and was asked to download a script file—a clear red flag. Instead of complying, he exited the meeting and asked the impersonator to verify their identity via Telegram voice call. When the impersonator failed to respond and eventually deleted all prior messages, it confirmed Li’s suspicion.

He quickly took screenshots before the messages were erased, preserving evidence of the attempted attack.

Read More: StilachiRAT: A New Trojan Targeting Crypto Wallets

Hackers Used Pre-Recorded Footage

Deepfakes and Real Accounts Compromised

Li explained that the visuals used in the fake Zoom call were not AI-generated, but appeared to be pre-recorded footage taken from previous team meetings. Such tampering implies that the actual accounts of certain team members had already been compromised, hence allowing the assailants access to old video recordings.

Li suspects the Lazarus gang, a North Korea-affiliated hacking gang renowned for attacking crypto businesses, was behind the operation. The organization has been connected in the past to numerous notable crypto breaches, including the $620 million Axie Infinity Ronin Bridge assault.

Download Requests Signal Immediate Danger

Li emphasized a critical takeaway for the entire crypto community: never download unexpected files, even if they come from seemingly legitimate sources.

“The biggest red flag will always be a downloadable,” Li warned. “If you need to download something in order to continue the meeting, don’t do it.”

He added that these types of attacks rely heavily on mental fatigue and urgency, which are common in fast-paced crypto environments. Executives constantly dealing with last-minute meeting requests or unknown contacts may easily fall for such traps, especially if the attacker appears to be someone they know.

Not an Isolated Incident

Other members of the crypto space have reported similar experiences in recent days. A member of ContributionDAO described an identical Zoom request, where the impersonator insisted they use a special “business version” of Zoom by downloading a link—despite the user already having Zoom installed.

When asked to switch to Google Meet, the impersonator declined—another red flag consistent with Li’s experience.

Crypto researcher and X (formerly Twitter) user “Meekdonald” also mentioned that a friend of theirs did fall victim to the same scam, further confirming that the attack is part of a broader, coordinated campaign targeting people in crypto.

Read More: Bybit Suffers Massive $1.4 Billion Hack: What You Need to Know

The Crypto Industry Remains a Prime Target

The crypto industry still draws nation-state actors and organized cybercriminals given billions in digital assets and sometimes poorer cybersecurity policies than conventional financial institutions. Particularly the Lazarus Group has consistently sought to attack weaknesses in Web3 infrastructure and go after well-known people.

Zoom-based attacks that employ realistic impersonation and social engineering tactics are especially dangerous because they bypass traditional spam filters and rely on human error. As blockchain companies increasingly adopt remote-first operations, such attacks are likely to become more common.

Vigilance Over Tools and Identity Verification

Li’s experience underscores the importance of maintaining operational security protocols, especially for founders, developers, and key stakeholders in blockchain projects. Key measures include:

• Verifying contacts on multiple platforms before engaging in sensitive discussions
• Using end-to-end encrypted communication tools and avoiding downloading files during live calls
• Keeping antivirus software and operating systems up to date
• Encouraging team members to report and document any suspicious activity immediately

While the attackers in this case failed, the implications remain serious. As digital threats continue to evolve, crypto founders must prioritize personal cybersecurity as much as their projects’ technical resilience.