A Single Click During a Call Can Cost Victims a Fortune
Zoom’s remote access functionality — once seen as a convenient collaboration tool — has become the foundation of a sophisticated new attack targeting individuals in the cryptocurrency and financial sectors. The feature that allows meeting participants to take control of another user’s computer is now being exploited by attackers to install malware and steal sensitive data.
One such group, dubbed ELUSIVE COMET by nonprofit security organization SEAL (The Security Alliance), has been actively targeting crypto professionals. The attackers pose as representatives of the venture firm Aureon Capital, as well as related entities like Aureon Press and The OnChain Podcast. They set up convincing websites and active social media profiles to build credibility and gain the trust of their targets.
Their victims are approached via X (formerly Twitter) or email with offers to participate in a podcast. Once the individual agrees, a Zoom call is scheduled. During the call, the victim is asked to share their screen — supposedly to showcase a presentation or a project. At that moment, the attacker sends a request for remote control access. If the victim doesn’t notice the red flag, they might accidentally grant access.
What makes the attack especially devious is the manipulation of the Zoom interface. The attacker changes their Zoom display name to “Zoom”, making the request appear as if it comes from the platform itself — e.g., “Zoom is requesting remote control access.” This reduces suspicion, and many users might click “Allow” automatically, thinking it’s a routine system prompt.
One victim, Jake Gallen, founder of the NFT platform Emblem Vault, recounted how he didn’t even realize he had granted control — resulting in the loss of access to multiple accounts and approximately $100,000.
A similar attempt was made against the CEO of security firm Trail of Bits, but it failed. Their team noticed red flags: fake social media profiles, a reluctance to use official email communication, and phony scheduling pages — all of which helped them spot the scam before it succeeded.
The attack raises serious concerns because Zoom’s remote access feature is enabled by default in many configurations. Unless explicitly disabled by the user or administrator, the function remains vulnerable to exploitation. For companies handling crypto assets or other sensitive data, experts strongly advise disabling Zoom’s remote control feature entirely — or abandoning the platform altogether in favor of more secure alternatives.
The ELUSIVE COMET campaign is a striking reminder that modern cyber threats are increasingly rooted not in software vulnerabilities, but in lapses in operational security. Human error, distraction, and misplaced trust in familiar interfaces are becoming key attack vectors. As technical defenses grow harder to bypass, attackers are leaning more heavily on social engineering and behavioral manipulation to gain access.