Jun 2025 - Mehdi Farooq Alex Lin Zoom Phishing Drains Life Savings - $Unknown (Global)
Mehdi Farooq is an investment professional and thought leader in the Web3 space, with deep experience across crypto research, venture capital, and decentralized technologies. Currently an Investment Partner at Hypersphere Ventures, he previously managed investments and strategic partnerships at Animoca Brands, where he focused on infrastructure, DePIN (decentralized physical infrastructure), and AI-driven opportunities. Throughout his career, Mehdi has consistently worked at the intersection of finance, blockchain, and emerging technology, helping startups scale while promoting a decentralized digital future.
He holds advanced degrees in Blockchain and Finance, including an MSc in Blockchain and Digital Currency from the University of Nicosia and a Distinction in Finance and Investment from Nottingham University Business School. Mehdi’s research background includes stints at Token Metrics, Messari, and Seeking Alpha, and he has developed a reputation for accurate market analysis—most notably predicting trends around assets like $MATIC and identifying systemic risks in events like the LUNA-UST collapse.
In addition to his investment work, Mehdi is a co-host of The Open Metaverse Show and regularly publishes insights on crypto markets and token economics. A strong advocate for user education and safety in the rapidly evolving Web3 space, Mehdi combines technical insight with a deep understanding of market behavior, making him a valuable contributor to the global blockchain ecosystem.
The incident began with what appeared to be a routine professional outreach via Telegram from “Alex Lin,” a known contact. Unbeknownst at the time, Alex’s account had been compromised. The attacker, posing convincingly as Alex, initiated a casual catch-up, during which Mehdi shared his Calendly link and the imposter booked a call. Shortly before the scheduled time, the attacker requested to move the call to Zoom Business, citing “compliance reasons” due to an LP named Kent — another familiar name — joining. This added a layer of credibility and urgency, common tactics in social engineering exploits.
Upon joining the Zoom call, Mehdi encountered no audio but saw two faces he believed to be Alex and Kent. Through the Zoom chat, the attackers messaged him, suggesting he update Zoom to resolve the audio issue. This prompt was the turning point: the update was either a trojanized version or used to exploit an existing vulnerability. Once executed, it provided remote access to Mehdi's device. Within minutes, six of his crypto wallets were drained, indicating not only access to private keys or seed phrases, but potentially a full compromise of the host system — likely through clipboard scraping, keylogging, or browser credential theft.
What made the attack particularly violating was the continued interaction on Telegram. The attacker, still impersonating Alex, maintained a casual tone, even joking about meeting in Singapore, while simultaneously emptying Mehdi's wallets. It added a psychological layer to the technical breach, emphasizing the manipulation and calculated deceit involved.
Mehdi describes the loss as his life savings, from six wallets. No actual sum is mentioned.
Mehdi describes realizing that his wallets were being emptied, and continuing to chat with the hacker.
"While my wallet was being emptied, the hacker kept chatting on Telegram like nothing was wrong.
He even joked: “Let’s catch up at SG”"
Fortunately, whitehat hackers and members of the security community rallied around Mehdi, offering assistance and guidance in the aftermath. Mehdi describes that there was some assistance from whitehat hackers almost immediately.
"But in the darkest moment, whitehat hackers stepped up — complete strangers offering help when I was at my lowest"
After the attack, threat intelligence surfaced identifying the adversary as “dangrouspassword,” a North Korea–linked cybercrime actor known for social engineering campaigns targeting individuals in the crypto and VC space.
"Biggest lesson: keep assets on a cold wallet, separate device. No shortcuts. These social engineering scams are only going to get more sophisticated with deepfake video and audio. Doesn’t matter if it’s Zoom or Gmeet - keep your asset device fully isolated.That’s what saved others who still got on a call with the impersonator. Wish I had done the same. Hard lesson."
Mehdi reports that his only father and someone named Ammar Zaeem offered him financial assistance. There was some assistance in tracing his funds to North Korean hackers.
Mehdi continues to post further updates about the level of assistance offered. It does not appear likely that funds will be recovered from North Korea.
Further Analysis
Mehdi Farooq, a respected Web3 investor and thought leader, fell victim to a sophisticated social engineering attack involving deepfakes and compromised identities. After receiving a seemingly routine message from a known contact on Telegram, Mehdi joined a Zoom call with what appeared to be familiar faces. During the call, he was prompted to update his Zoom client — a move that ultimately led to his device being compromised. Within minutes, six of his crypto wallets were drained, resulting in the loss of his life savings. The attacker, later identified as part of the North Korea–linked group “dangrouspassword,” continued to engage casually with Mehdi via Telegram during the theft. Though the funds are unlikely to be recovered, whitehat hackers and the broader crypto community offered immediate support and helped trace the incident. Mehdi has since shared his experience publicly, urging better operational security and warning that these scams are becoming increasingly advanced.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Alex Lab Vault Permission Flaw Labubu Token Transfer Drain > > < < Nervos Network Force Bridge Drained Shortly After Sunset
Sources/Further Reading
Mehdi Farooq - "One minute I was prepping for a Zoom call. Ten minutes later, large part of my life savings were gone. It started with a message on Telegram from Alex Lin — someone I knew. He wanted to catch up." - Twitter/X (Dec 31)
Mehdi Farooq - "My laptop compromised computer lately" - Twitter/X (Dec 31)
Mehdi Farooq - "I’m not sure - but the video was being played during the zoom call - it looked like they were trying to speak to me but I couldn’t hear them as there was audio issue - so they pinged me to on Zoom and TG to repair audio. That’s how they got me." - Twitter/X (Dec 31)
Mehdi Farooq - "When my wallet got hacked, @ammar_zaeem was the only one besides my own dad who offered to help me financially." - Twitter/X (Dec 31)
Tay - "This is actually a super common tactic that I've seen with scammers and thieves, especially those who are relatively deeply integrated into the system they are scamming and defrauding." - Twitter/X (Dec 31)
Mehdi Farooq - "In an industry built on Telegram, Proof of Humanity isn’t just nice to have anymore. It’s becoming critical." - Twitter/X (Dec 31)
(Dec 31)
TheNFTJett - "They almost got me Alex" - Twitter/X (Dec 31)
Alexander Lin - "I have reclaimed my telegram handle, @linfluence, bc it is ubiquitous with X and my other online identities. old acc still compromised - stay safe!" - Twitter/X (Dec 31)
Alexander Lin - "the hacker has removed the username. at this time, refrain from any correspondence with me on Telegram. Assume any account with my name is compromised unless we have directly discussed this matter via vetted channels (email, X, in-person)." - Twitter/X (Dec 31)
Crypto VC partner loses ‘life savings’ during fake Zoom call - CoinTelegraph (Dec 31)
Mehdi Farooq - "Appreciate all the kind messages on X and TG - reminds me there are still many good people out there." - Twitter/X (Dec 31)
Crypto Investor Loses Savings in Sophisticated Phishing Attack - AInvest (Dec 31)
Mehdi Farooq - Twitter/X (Dec 31)
Mehdi Farooq - LinkedIn (Dec 31)
Mehdi Farooq - CypherHunter (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|