More than 10 of my bitcoin friends got hacked in the past month. All had 2FA enabled. It didn’t help. Here’s how they almost got me too 👇
HOW THEY FOOL YOU
1️⃣ Someone from your contacts messages you to schedule a call. This is already a stolen account. A friend who got scammed before you.
2️⃣ They send you a calendar invite first. Then, right before the call, they send a Zoom link. At a quick glance it looks legit. The preview looks identical to real Zoom. The trick is subtle: the hostname and subdomain are swapped.
This is the fake Zoom link they sent me. A real Zoom link would have those two words around the dot swapped.
👀 https:// zoom (DOT) webus05. us/j/47369507762?pwd=7kiAzRm6PNBvNFdBBEY04cr6LLzHPk.1
Easy to miss, even if you know what to look for. Especially when it comes from someone you trust.
3️⃣ The fake Zoom app looks flawless. Perfect copy of the real Zoom UI. No red flags.
4️⃣ You immediately see your friend on video. This is NOT A DEEPFAKE. It’s a recording of your friend from seconds before they got scammed in the previous session. That’s why it looks perfect and trustworthy.
HOW THEY GAIN CONTROL
5️⃣ The fake Zoom app says your audio is broken and asks you to update.
6️⃣ The update “fails” and you’re shown a command line troubleshooting guide.
⚠️7️⃣ If you paste that command into your terminal, it’s over. You just gave the attacker remote access to your computer.
HOW THEY ROB YOU
8️⃣ The malware they install remotely is simple and runs fast. It takes one or two seconds.
It usually does two things:
A) Scans your computer for bitcoin wallets and steals access.
⚠️B) Steals session cookies from chat apps. This is how they bypass your 2FA later.
ELI5 SESSION COOKIES
When you log into Telegram on your laptop, you enter your password and 2FA once. Telegram then saves a session token on your computer so you don’t have to do it every time. That token is basically: “Yes, this is the same person who gave you the password and 2FA earlier.” When attackers steal it, they present it to Telegram, which sees it as a valid session and lets them in.
So they don’t need your password or your 2FA code. THEY ARE YOU.
If someone gets access to your computer, you’re done. At that point, it’s just damage control.
MY GOLDEN RULE
Life is short and beautiful. No client call is important enough to mess with command line troubleshooting.
Be lazy. Be safe.
Good to know about this scam but I wouldn’t ever install Zoom on any of my computers so I guess I am immune to everything downstream of that single action.
Same here, hopefully this report helps those that use zoom to keep an eye or two open when clicking random links.
So tricky...
It's good to stay paranoid and keep your Bitcoin related stuff separate from a work computer.
Hope your friends didn't lose too much.
I don't think OP posted this as about "10 of his friends" but more as a PSA / warning.
Sometimes people post things without being part of it, even that seems so.
My first guess when I read the title was some sort of compromised tool or browser downloaded first to give access. Yep, right on target.