Zoom’s Remote Control Feature Exploited in Sophisticated Cryptocurrency Theft Scheme

Cybersecurity experts have uncovered an alarming new social engineering campaign targeting cryptocurrency users through Zoom’s screen-sharing capabilities. A hacking group known as “Elusive Comet” has been impersonating crypto journalists and Bloomberg representatives to trick high-value targets into granting remote access to their computers.

The Attack Methodology

The attack begins with victims receiving what appears to be a legitimate invitation to participate in a “Bloomberg Crypto” interview. These invitations arrive via direct messages on social media platforms like X (formerly Twitter) or through emails from addresses designed to look official (such as bloombergconferences@gmail.com).

What makes this scheme particularly effective is its use of authentic Calendly scheduling links and genuine Zoom meeting invitations, which help bypass the victim’s initial suspicions. During the scheduled video call, the attackers employ a clever deception:

1. They initiate a screen-sharing session
2. The attackers rename their Zoom display name to simply “Zoom”
3. They send a remote control request that appears as “Zoom is requesting remote control of your screen”
4. Victims, believing this is a standard system prompt, approve the request

Devastating Consequences

Once remote access is granted, the attackers gain complete control over the victim’s system. This access allows them to:

• Steal sensitive data
• Install malicious software
• Access personal files
• Initiate unauthorized cryptocurrency transactions

According to cybersecurity firm Trail of Bits, which discovered this campaign after its CEO was targeted, “What makes this attack particularly dangerous is the permission dialog’s similarity to other harmless Zoom notifications. Users habituated to clicking ‘Approve’ on Zoom prompts may grant complete control of their computer without realizing the implications.”

Connection to Major Crypto Heists

Perhaps most concerning is that the techniques employed by Elusive Comet mirror those used in the massive $1.5 billion Bybit cryptocurrency heist earlier this year. Rather than exploiting code vulnerabilities, these attackers manipulate legitimate workflows and user trust to achieve their objectives.

Recommended Protective Measures

Trail of Bits recommends several defensive strategies:

• Implementing system-wide Privacy Preferences Policy Control (PPPC) profiles that restrict accessibility access
• For organizations handling valuable digital assets or sensitive data, completely removing the Zoom client
• Using browser-based alternatives for video conferencing when handling sensitive information

This incident highlights how sophisticated social engineering continues to evolve, targeting specific high-value individuals through seemingly legitimate business interactions.