How one Zoom update drained millions in crypto

It was all routine. A media outlet wanted an interview with David, an experienced software developer and crypto miner. He’d already met the interviewer at a conference, so he knew it was legit. A Zoom was scheduled. 

David opened his MacBook Pro, clicked the invite and, just before the call, he got a prompt to update the Zoom client.

“I thought it was a normal, regular update,” David recalls years later. “So I proceeded with it. Then I had the call. Everything went normally. And I basically forgot about it.”

Months later, after returning from a trip, he connected his cold crypto wallet to the same MacBook. Within moments, he knew something was wrong. 

By the time he understood what was happening, the crypto in his cold wallet was gone. David had lost millions of dollars’ worth of BTC.

This can affect all of us

We post a lot about 1inch’s security practices, because we know how important it is to take a proactive approach - and because the more our users know, the better they can protect themselves.  

But we also know that some of these practices can seem abstract to most users.  Risk management, for example - how we help identify and freeze stolen or illicit funds - can seem like it’s only relevant to law enforcement; and don’t you have to be a whale to be the direct target of a DPRK attack?  

In fact, these issues can affect all of us. So we’ve teamed up with zeroShadow to tell David’s* story - not just as a warning, but also to show the good that anti-money laundering (AML) tactics can do - even against a rogue state.

As Orest, Chief Legal Officer at 1inch puts it: “Risk management is essential for DeFi’s next chapter. Institutions won’t touch liquidity they can’t defend - and ordinary traders shouldn’t want to, either. And recovery and accountability can totally coexist with open, non-custodial design.”

*We’ve changed David’s name, and been deliberately vague about some details, to protect his identity.

A long crypto journey

David is not a beginner in the crypto space. He holds a Master’s degree in computer science. He built fintech systems for banks and securities trading firms.

He entered crypto around 2015, driven partly by his country’s unstable banking system. Crypto offered something traditional finance did not: censorship resistance and control.

By 2017, he was mining Bitcoin and ETH. Back in the day, profits were enormous. David saw returns of more than 30x. He built wallets, decentralized launchpads. From the start, he’s been the definition of a crypto native.

He also believed that his security setup was strong enough: a cold wallet, encrypted, on a clean machine that had no unlicensed software. For years, that worked. Until it didn’t.

An on-chain message

Nick, an investigator at crypto security firm zeroShadow, had been watching something else unfold: a substantial amount of BTC moving on the blockchain in familiar patterns. zeroShadow specializes in tracking state-sponsored threats, including actors linked to the Democratic People’s Republic of Korea (DPRK). He recognized those flows.

Then he saw something unusual embedded in the Bitcoin transactions - OP_RETURN messages. Someone was writing directly to the hacker on-chain. “They were offering to negotiate, saying that if the hacker returned most of the funds, they could avoid consequences,” says Nick. “I thought - oh dear.  They don’t know who they’re dealing with. DPRK don’t negotiate.”

There was an email address in the messages. So Nick reached out and offered help. And a short while later - he got a reply. From David.

Targeted by DPRK hackers

“I’d started to trace the money on the blockchain myself,” says David. “So when I found the attacker’s wallet, I sent that message. I’d already contacted the FBI, so I felt like I had a hand to play.”

David had started by digging in his system logs, and traced the compromise back to the Zoom update - it delivered a malicious payload. 

“Later, I learned about a vulnerability in Zoom, which the attackers exploited,” says David. “Zoom had to pay more than $200 mln in class action cases in the US because of that vulnerability. I also tried to join one of those class action cases but I wasn’t able to because I’m not a US citizen.”

Zoom settled that lawsuit, and resolved the security vulnerabilities concerned, but too late for David.

When they realized that David had contacted the FBI, the attackers pushed another Zoom update, attempting to wipe logs and cover their tracks. But they missed a few entries. When Nick and zeroShadow caught up with the case, these traces were enough for them to say with certainty: the attack was linked to the DPRK.

DPRK-linked groups are disciplined and industrial in scale. An estimated 15,000 operators work across a global network. They target high-value individuals. They exploit small moments of distraction - a meeting link, an “audio issue,” a request to reinstall or update software. Another victim had been compromised during his first-ever Zoom installation at around the same time as David’s attack.

Risk management works

So where’s the silver lining? 

It comes thanks to zeroShadow’s patient investigation - and the risk management procedures that 1inch has advocated, and that legitimate crypto exchanges are increasingly adopting.

zeroShadow’s model is methodical: monitor blockchain flows, flag addresses with exchanges and bridging services, freeze assets where possible, coordinate with law enforcement. Thanks to their involvement, David has already been able to recover some portion of his funds.

“We have various contacts, particularly with exchanges that we've managed to get some success from,” says Nick. “When we start seeing [stolen] funds appear on these exchanges, we will reach out to them and say: ‘Did you manage to freeze this transaction?’”

So far, just under $240,000 has been returned to David, out of a total $300,000 frozen. A fraction of the total loss, but still a substantial value.

DPRK operators often attempt to cash out via peer-to-peer OTC services, frequently on the Tron network, which complicates full recovery. So investigators aim to constrict their exit routes - to funnel laundering attempts into channels where intervention is possible.

But the broader reality is sobering. Hacks are increasing in scale. Recovery rates, in percentage terms, are low. Attackers are evolving faster than defensive infrastructure.

What can you do to avoid an attack? 

OpSec is for everyone

The answer is simple: personal operational security - OpSec.

David’s advice now is blunt: “For financial transactions, use an air-gapped computer that is not connected to the Internet and don't install any apps on that computer. Use it only to sign transactions.” 

“Don't use a MacBook or a PC,” he adds. “It's better to use an iPhone. iPhones are surprisingly more secure, compared to MacBooks.”

A risk management tool for ordinary users

At 1inch, this is precisely why our approach to laundered funds is so serious. We work with partners like zeroShadow to monitor suspicious flows, flag malicious addresses and strengthen the ecosystem’s response. 

As Orest puts it: "You don’t need to go custodial or push heavy KYC to raise safety. Privacy-respecting signals, like stronger event logs, device and network risk indicators, as well as wallet intelligence, can help detect abuse patterns early and protect users in real time.”

This isn’t just about compliance. It’s about constricting the operational space for actors who exploit trust and infrastructure at scale. If we can do that - we make DeFi (and crypto in general) safer for everyone.

That relies on collaboration - between protocols, investigators, exchanges and law enforcement - to reduce the probability that stolen funds can move freely.

Meanwhile, David, for his part, is building a nonprofit tool to provide free AML scoring for ordinary users - an attempt to democratize early detection, since most risk management tools remain too expensive for private individuals.

“This will allow users to detect suspicious transactions at early stages,” he comments. The more barriers there are to hackers moving these funds, the less incentive they’ll have to carry out attacks.

And from zeroShadow, Nick has a final message for everyone reading this article.

'If something doesn’t sit quite right when you've clicked on a video link, please do not hesitate to ask for help. zeroShadow along with SEAL911 are great starting points to help mitigate any further risk and to guide you through next steps. The earlier that a compromise is reported, the better chance you have to contain the issue and recover any assets. Reporting these issues will also help build on the work being done to help stop others from being targeted.'

For more on DeFi security, subscribe to our newsletter!