Deepfake on the Call: The Impact of Global Zoom Hacks Leading to a Chain Takeover on Social Media

1. Introduction―Is the "Friend on Zoom" Real?

In 2025, when online meetings have become a daily routine, we have stopped questioning the appearances on our screens. However, in late June, Japanese social media was flooded with cries of "assets were stolen during a Zoom meeting." Victims found their cryptocurrency wallets emptied, and their accounts on X (formerly Twitter) and Telegram were hijacked.internet.watch.impress.co.jp

2. A Thorough Dissection of the Attack Flow

1. Contact ― The perpetrator first contacts the victim through a hijacked acquaintance's X/Telegram, saying "I have something to discuss."

2. Video Call ― The victim is lured to Zoom, where a deepfake video of the acquaintance is live-streamed. The perpetrator claims "the microphone is broken" to explain the lack of voice.

3. Fake Update ― A link is sent in the chat, urging the victim to "update the sound driver." The link is actually an infostealer malware.

4. Theft and Lateral Movement ― MetaMask seeds, browser cookies, and X tokens are extracted, and cryptocurrency is automatically transferred. The perpetrator then targets the next victim using the newly hijacked SNS account.internet.watch.impress.co.jp

3. Turbulent Reactions on SNS

❝⚠️ Cryptocurrency vanished in a fake Zoom. End the call immediately if told there's a sound issue!❞
— @Crypto_AI_chan_ (June 22, 2025)x.com


Similar warnings spread in English-speaking regions, with "#DeepfakeScam" trending on X.

4. Overseas Case: "ELUSIVE COMET" Campaign

In April, the CEO of the NFT platform Emblem Vault lost assets worth $100,000 via Zoom. The threat actor, named "ELUSIVE COMET," posed as a media inquiry to gain remote control and emptied the wallet.jp.cointelegraph.com

5. Why Silence the Voice?―The Evolution of Deepfake Technology

Currently, creating high-precision fake videos of people is easy, but naturally synthesized voices and real-time lip-syncing remain challenging. Exploiting this gap, the perpetrator pretends the "microphone is broken," gaining trust with video alone.

6. Technical Perspective: Remote Control and Infostealers

Zoom allows remote control requests from participants to the host by default, and if social engineering is successful, the entire PC can be controlled. The malware includes Cookie Dump/Clipboard Hijack modules and scans for cryptocurrency-specific browser extensions.

7. Expanding Damage through "Secondary Infections"

Using hijacked SNS accounts as a foothold, the perpetrator analyzes friend lists to resend phishing attempts. This is known as a "social graft attack," which is more credible than traditional email-based methods.

8. Corporate Risks and Legal Challenges

Cross-border damage investigations require multilateral judicial cooperation, but deepfake regulations are not aligned. While the EU is moving towards mandatory labeling of "high-risk AI" under the AI Act, Asian countries remain at the guideline stage.

9. Expert Comments

• Samczsun (SEAL Researcher)"Zoom's remote control is a feature for efficiency, but being 'on by default' increases the attack surface."jp.cointelegraph.com

• Threat Analysis Department, Digital Arts (Japan)"34% of ransomware damages are due to credential leaks. This case is typical."cybersecurity-info.com

10. Specific Countermeasure Checklist

11. Future Outlook

As the accuracy of voice deepfakes improves, the excuse of "not being able to hear the voice" will become unnecessary, making it even harder to detect fraud. The democratization of generative AI will expand both convenience and threats, necessitating international cooperation in internet literacy education.

12. Conclusion

The appearance of "someone you trust" might actually be an AI mask. In an era where phishing emails are easily detected, video calls are the next target. Understanding both technology and human psychology, and questioning "Is it really them?" before clicking, becomes the greatest defense.