Beware of Fake Zoom Domains: Scammers Steal Millions Using Malicious Software

The Web3 space is constantly evolving, presenting endless opportunities and technological advancements. However, with its growth comes new risks. As much as this industry offers great potential, it also attracts malicious actors seeking to exploit unsuspecting users. At Gemhunt, we believe in raising awareness about such threats to help our readers stay vigilant and better protected. Today, we are shedding light on a recent scam that has resulted in millions of dollars in losses.

A recent fraud scheme has highlighted how scammers manipulate users' trust. The attackers created a phishing domain, app[.]us4zoom[.]us, which closely resembled the legitimate website of Zoom, the popular video conferencing platform. Victims were tricked into clicking the "Launch Meeting" button on the fake site, which then automatically downloaded a malicious file named ZoomApp_v.3.14.dmg onto their devices. Once executed, this file initiated a script called ZoomApp.file, which prompted users to enter their system password.

What followed was a calculated plan to steal sensitive information. The malicious script created a hidden file called ZoomApp, which then extracted critical data from the victims' devices. Among the stolen information were cryptocurrency wallet credentials, cookies, and login details for Telegram accounts. With this information, the attackers gained access to personal data and digital assets, making the impact of the breach even more severe.

According to analysts from SlowMist, the malware used in this attack can decrypt encrypted data, detect system plugins, and hijack accounts on the victim's device. The extracted data was then compressed into an archive and sent to the hackers’ servers, where it was used to gain full control of the victims' crypto wallets. This attack, which began in November 2024, has already led to significant losses, amounting to millions of dollars.

Millions Lost to Hackers: The app[.]us4zoom[.]us Scam

Researchers have tracked one of the cryptocurrency wallets linked to the attack, revealing that it held stolen funds worth over $1 million. These assets were subsequently converted into 296 ETH and transferred to popular exchanges like Binance and Bybit. Another wallet was identified that sent small amounts of Ethereum to nearly 8,800 different addresses. In one particularly devastating incident in November, a victim lost Gigachad (GIGA) cryptocurrency tokens valued at over $6 million after clicking on a similar phishing link that imitated Zoom's login interface.

Cybersecurity experts from SlowMist strongly recommend that users exercise extreme caution when interacting with links and websites online. They urge individuals to thoroughly verify any links before clicking them, avoid downloading files from untrusted sources, and refrain from entering personal information on suspicious websites. By adopting these simple yet effective precautions, users can significantly reduce their chances of falling victim to such scams.

It’s also important to note that SlowMist has previously warned about scammers targeting users on social media platforms. According to their reports, around 80% of comments under tweets from cryptocurrency projects on X (formerly Twitter) are made by scammers trying to lure people into their traps.

At Gemhunt, we hope this article serves as a valuable reminder of how these scams operate and the measures you can take to avoid becoming a victim. We also want to emphasize the importance of using top-tier security practices in the Web3 space. By staying vigilant and implementing advanced security methods, you can better protect both your personal data and your financial assets from malicious actors.