Fake Meetings, Real Crises: Analyzing the Operation Chain and Defense Points of Zoom and Calendly Phishing Attacks

Author: Dr. 𝙰𝚠𝚎𝚜𝚘𝚖𝚎 𝙳𝚘𝚐𝚎

Recently, the cryptocurrency community has been plagued by security disasters. Attackers schedule meetings through Calendly, sending seemingly normal “Zoom links” to lure victims into installing disguised Trojan programs, and even gain remote control of their computers during the meeting. In a single night, all wallets and Telegram accounts are seized.

This article will comprehensively analyze the operation chain and defense points of such attacks, and provide complete reference materials for the community to repost, for internal training, or for self-checking purposes.

The dual objectives of the attacker

Digital asset theft

Using malicious programs like Lumma Stealer, RedLine, or IcedID to directly steal private keys and Seed Phrases from browsers or desktop wallets, quickly transferring cryptocurrencies like TON and BTC out.

Reference:

Microsoft Official Blog

Flare Threat Intelligence

Identity credential theft

Stealing Session Cookies from Telegram and Google, impersonating the victim, and continuously targeting more victims, creating a snowball effect.

Reference:

d01a Analysis Report

Four steps of the attack chain

① Building Trust

Impersonating investors, media, or podcasts to send formal meeting invitations through Calendly. For example, in the “ELUSIVE COMET” case, the attacker disguised the Bloomberg Crypto page to commit fraud.

Reference:

Trail of Bits Blog

② Deploy Trojan

Imitation Zoom URLs (not .zoom.us) lead to the download of a malicious version of ZoomInstaller.exe. Multiple incidents from 2023 to 2025 have used this method to deploy IcedID or Lumma.

Reference:

Bitdefender

③ Power Grab During the Meeting

Hackers changed their nickname to “Zoom” during a Zoom meeting, asking the victim to “test screen sharing” while simultaneously sending a remote control request. Once the victim clicks “Allow,” they are fully compromised.

Reference:

Help Net Security

DarkReading

④ Diffusion and Cashing Out

Malicious programs upload private keys, immediately withdraw funds, or lurk for several days to steal others’ identities on Telegram. RedLine is specifically designed for the tdata directory of Telegram.

Reference:

d01a Analysis Report

Three Steps for Post-Incident First Aid

Immediate Isolation Device

Unplug the network cable, turn off Wi-Fi, and boot up with a clean USB to scan; if RedLine/Lumma is found, it is recommended to format the entire disk and reinstall.

Remove all Sessions

Transfer cryptocurrency to a new hardware wallet; log out of all devices on Telegram and enable two-step verification; change all email and exchange passwords.

Real-time monitoring of blockchain and exchanges

If you find an abnormal transfer, immediately contact the exchange to request freezing the suspicious address.

The Six Iron Laws of Long-term Defense

Independent meeting equipment: Use a spare laptop or mobile phone without a private key for unfamiliar meetings.

Official source download: Software such as Zoom, AnyDesk, etc. must come from the manufacturer’s website; it is recommended to turn off “Open after downloading” on macOS.

Strictly verify the website: the meeting link must be .zoom.us; the Zoom Vanity URL also follows this specification (official guidelines)

Three no principles: do not use plugins, do not give remote access, do not display Seed/private key.

Cold and hot wallet separation: main assets are stored in a cold wallet with a PIN + Passphrase; the hot wallet only holds a small amount.

Enable 2FA for all accounts: Fully activate two-factor authentication for Telegram, Email, GitHub, and exchanges.

Conclusion: The Real Dangers of Fake Conferences

Modern hackers don’t rely on zero-day exploits; instead, they are highly skilled in their craft. They design “seemingly normal” Zoom meetings, waiting for your mistakes.

As long as you develop the habit of: isolating devices, using official sources, and implementing multi-layer verification, these methods will no longer have any opportunity to take advantage. May every on-chain user stay away from social engineering traps and protect their vault and identity.