The cryptocurrency industry has entered a dangerous new era where sophisticated social engineering attacks now pose greater financial risk than traditional software vulnerabilities. The Elusive Comet campaign, uncovered by the Security Alliance and Trail of Bits in April 2025, reveals how North Korean state-sponsored hackers are repurposing legitimate collaboration tools like Zoom to steal millions from crypto traders and venture investors. Understanding these threats and building robust defenses is no longer optional — it is survival.
The Threat Landscape
The Elusive Comet campaign represents a significant evolution in cryptocurrency-targeted attacks. Rather than exploiting buffer overflows or smart contract flaws, the attackers weaponize trust itself. Posing as venture capital investors and media producers, they initiate contact through professional channels — LinkedIn messages, X direct messages, and email pitches — inviting targets to appear on podcasts or discuss investment opportunities through a fictitious entity called Aureon Capital.
Once the target accepts, the attack unfolds through a carefully orchestrated sequence: the hackers schedule a Zoom call via Calendly, sometimes withholding meeting details until the last minute to create urgency. During the call, they request screen sharing and then remote control access. The critical deception involves changing their Zoom display name to “Zoom,” making the remote access permission dialog appear as an innocuous system notification rather than a request from another participant. One hasty click grants the attacker full mouse and keyboard control.
The Security Alliance attributes millions of dollars in losses to this operation and has identified nearly thirty sock-puppet social media accounts and multiple polished corporate websites used to establish the fake Aureon Capital persona. Trail of Bits encountered the ruse firsthand when two profiles posing as Bloomberg producers attempted to book their CEO for a crypto segment, complete with late-breaking Zoom links that belonged to consumer-grade accounts rather than Bloomberg enterprise tenants.
Core Principles
Defending against these attacks requires a fundamental shift in security mindset. The traditional perimeter-based approach — firewalls, intrusion detection, vulnerability scanning — is necessary but insufficient when the attack vector is a legitimate video conferencing tool operated by a willing participant. The core principles for defense are verification, compartmentalization, and minimal privilege.
Verification means independently confirming the identity of every counterparty before engaging. A LinkedIn profile and a polished website are not sufficient proof of legitimacy. Cross-reference claims through multiple independent channels. If someone claims to be from Bloomberg, verify through Bloomberg official channels directly. If an investment firm contacts you, check their registration with financial authorities and verify team members through independent sources.
Compartmentalization means never mixing high-value crypto operations with general-purpose computing. The workstation where you manage seed phrases and sign transactions should be physically and logically separate from the device you use for video calls, email, and web browsing. Hardware wallets should never be connected to a machine that has granted remote access to anyone.
Minimal privilege means disabling unnecessary features in every tool you use. Zoom Remote Control is enabled by default in many corporate configurations, but it is almost never needed for legitimate business calls. Disable it at the account level.
Tooling and Setup
Implementing these principles requires specific technical controls. Start with Zoom itself: administrators should disable the Remote Control feature at the account, group, or user level, and lock the setting to prevent users from re-enabling it. The clipboard sharing option, which attackers exploit to copy seed phrases and private keys between applications, should also be disabled. Trail of Bits has gone further by blocking the macOS accessibility permissions that enable remote control entirely on their corporate systems, closing the attack vector without disrupting legitimate video conferencing.
For cryptocurrency-specific protection, maintain a dedicated air-gapped or nearly air-gapped machine for all wallet operations. Use hardware wallets exclusively for signing transactions, and never enter seed phrases on a device that has any remote desktop, screen sharing, or remote control software installed. Consider using a dedicated tablet or smartphone with minimal app installations as your crypto management device.
Email and identity verification tools should be part of your standard workflow. Services that verify email domain ownership, check for domain age, and flag newly registered domains can help identify fraudulent entities before engagement. Browser extensions that alert you to suspicious Zoom domains or mismatched meeting hosts add another layer of defense.
Ongoing Vigilance
The cryptocurrency industry is particularly vulnerable to these attacks because of its culture of rapid deal-making and informal communication. When Bitcoin trades at approximately $76,350 and Ethereum at $2,327, the stakes of a single compromised machine are enormous. The Elusive Comet methodology mirrors the techniques behind the $1.5 billion Bybit hack in February 2025, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities.
Security awareness training must evolve beyond recognizing phishing emails to include video conferencing security, social media impersonation, and multi-channel verification. Regular red team exercises that simulate these social engineering scenarios can help teams build the reflexes needed to resist sophisticated pretexts.
Industry-wide information sharing is also critical. The Security Alliance maintains an incident log and attribution database that tracks these campaigns. Organizations should contribute to and consume this intelligence to stay ahead of evolving tactics.
Final Takeaway
The era of operational security failures has arrived in cryptocurrency. The most dangerous attackers are no longer finding zero-day vulnerabilities — they are finding zero-trust humans. Every interaction with an unknown party, every hastily granted permission, every shared screen is a potential entry point. The defense is not more firewalls or better code audits; it is building a culture where verification is automatic, access is minimal, and the default answer to any unexpected request is a polite but firm “let me verify that through another channel.”
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified security professionals for risk assessment.
changing zoom display name to Zoom to make remote access look like a system dialog. that is next level social engineering. always verify who is asking for control
opsec_daily and they used calendly to schedule it. the whole toolchain is legit infrastructure weaponized against crypto users
Raj M. scheduling through calendly makes it look even more legit. the whole OSINT to Zoom pipeline is industrialized at this point
Bridge security is still the weakest link in the ecosystem
The cost of a security breach always exceeds the cost of prevention
Multi-sig wallets should be the default for everyone in crypto
Real-time monitoring tools are getting better at catching exploits early
The amount of DeFi exploits is still way too high
Aureon Capital was the fake VC firm they used. Did nobody think to verify the domain registration before hopping on a Zoom call
Aureon Capital had a website that looked more professional than half the real VCs I have pitched to. verified domain registration would have caught it but who checks that before a meeting
North Korean state actors running fake VC firms to compromise crypto wallets is surreal. the attack surface moved from code to humans and most teams are not ready