Mehdi Farooq Alex Lin Zoom Phishing Drains Life Savings

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Screenshot of The Zoom Call

Mehdi Farooq, a respected Web3 investor and thought leader, fell victim to a sophisticated social engineering attack involving deepfakes and compromised identities. After receiving a seemingly routine message from a known contact on Telegram, Mehdi joined a Zoom call with what appeared to be familiar faces. During the call, he was prompted to update his Zoom client — a move that ultimately led to his device being compromised. Within minutes, six of his crypto wallets were drained, resulting in the loss of his life savings. The attacker, later identified as part of the North Korea–linked group “dangrouspassword,” continued to engage casually with Mehdi via Telegram during the theft. Though the funds are unlikely to be recovered, whitehat hackers and the broader crypto community offered immediate support and helped trace the incident. Mehdi has since shared his experience publicly, urging better operational security and warning that these scams are becoming increasingly advanced.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]

About Mehdi Farooq

Mehdi Farooq is an investment professional and thought leader in the Web3 space, with deep experience across crypto research, venture capital, and decentralized technologies. Currently an Investment Partner at Hypersphere Ventures, he previously managed investments and strategic partnerships at Animoca Brands, where he focused on infrastructure, DePIN (decentralized physical infrastructure), and AI-driven opportunities. Throughout his career, Mehdi has consistently worked at the intersection of finance, blockchain, and emerging technology, helping startups scale while promoting a decentralized digital future.

He holds advanced degrees in Blockchain and Finance, including an MSc in Blockchain and Digital Currency from the University of Nicosia and a Distinction in Finance and Investment from Nottingham University Business School. Mehdi’s research background includes stints at Token Metrics, Messari, and Seeking Alpha, and he has developed a reputation for accurate market analysis—most notably predicting trends around assets like $MATIC and identifying systemic risks in events like the LUNA-UST collapse.

In addition to his investment work, Mehdi is a co-host of The Open Metaverse Show and regularly publishes insights on crypto markets and token economics. A strong advocate for user education and safety in the rapidly evolving Web3 space, Mehdi combines technical insight with a deep understanding of market behavior, making him a valuable contributor to the global blockchain ecosystem.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Mehdi Farooq was targeted in a sophisticated social engineering attack involving deepfakes and a compromised Zoom link, resulting in the theft of his life savings from six crypto wallets by a North Korea–linked threat actor.

Key Event Timeline - Mehdi Farooq Alex Lin Zoom Phishing Drains Life Savings
Date Event Description
May 29th, 2025 9:30:00 AM MDT Alexander Lin Telegram Compromised Alexander Lin reports that his Telegram account has been compromised and recommends that no one interact with that username.
June 2nd, 2025 Fake Alex Lin Set Up Meeting The hacker reportedly contacted Mehdi to set up the meeting for the following day using Alex's account.
June 3rd, 2025 10:01:00 AM MDT Username Removed From Telegram It is noted that the username was removed from Alexander Lin's Telegram account.
June 5th, 2025 11:34:00 AM MDT Alexander Lin Recovers Handle Alexander Lin reports that they recovered their handle for Telegram successfully. However, the original account is still compromised.
June 18th, 2025 6:48:00 PM MDT Mehdi Farooq Publishes Story Mehdi publishes a story about the events which happened to him.
June 18th, 2025 6:59:00 PM MDT Mehdi Farooq Revision Further Mehdi revises his post to correct a typo that his laptop was compromised "completely" instead of "computer lately".
June 19th, 2025 6:50:51 AM MDT CoinTelegraph Article Published CoinTelegraph publishes an article about the situation, with an overview of the information that Mehdi has publicly made available. They have reprotedly reached out and not received any adidtional details.
June 20th, 2025 12:03:00 PM MDT Mehdi Posting Self Reflections Mehdi posts some reflections of his experience. He expresses gratitude for the supportive messages he received and shares his renewed motivation to keep going. He warns others about a scam involving an impersonator who contacted him and others, some of whom had already been scammed or had upcoming calls with the fraudster. Mehdi emphasizes the importance of keeping crypto assets in a cold wallet on a separate, isolated device, as social engineering attacks are becoming more advanced with deepfake technology. He criticizes Telegram for its slow response, noting the scammer who first messaged him on June 2 is still active. He urges others to share his experience to help prevent further victims.
July 8th, 2025 8:23:00 AM MDT Mehdi No Assistance Provided Mehdi notes that, other than his father, only the Twitter/X user @ammar_zaeem offered to help him financially.

Technical Details

The incident began with what appeared to be a routine professional outreach via Telegram from “Alex Lin,” a known contact. Unbeknownst at the time, Alex’s account had been compromised. The attacker, posing convincingly as Alex, initiated a casual catch-up, during which Mehdi shared his Calendly link and the imposter booked a call. Shortly before the scheduled time, the attacker requested to move the call to Zoom Business, citing “compliance reasons” due to an LP named Kent — another familiar name — joining. This added a layer of credibility and urgency, common tactics in social engineering exploits.

Upon joining the Zoom call, Mehdi encountered no audio but saw two faces he believed to be Alex and Kent. Through the Zoom chat, the attackers messaged him, suggesting he update Zoom to resolve the audio issue. This prompt was the turning point: the update was either a trojanized version or used to exploit an existing vulnerability. Once executed, it provided remote access to Mehdi's device. Within minutes, six of his crypto wallets were drained, indicating not only access to private keys or seed phrases, but potentially a full compromise of the host system — likely through clipboard scraping, keylogging, or browser credential theft.

What made the attack particularly violating was the continued interaction on Telegram. The attacker, still impersonating Alex, maintained a casual tone, even joking about meeting in Singapore, while simultaneously emptying Mehdi's wallets. It added a psychological layer to the technical breach, emphasizing the manipulation and calculated deceit involved.

Total Amount Lost

Mehdi describes the loss as his life savings, from six wallets. No actual sum is mentioned.

The total amount lost is unknown.

Immediate Reactions

Mehdi describes realizing that his wallets were being emptied, and continuing to chat with the hacker.

"While my wallet was being emptied, the hacker kept chatting on Telegram like nothing was wrong. He even joked: “Let’s catch up at SG”"

Fortunately, whitehat hackers and members of the security community rallied around Mehdi, offering assistance and guidance in the aftermath. Mehdi describes that there was some assistance from whitehat hackers almost immediately.

"But in the darkest moment, whitehat hackers stepped up — complete strangers offering help when I was at my lowest"

Ultimate Outcome

After the attack, threat intelligence surfaced identifying the adversary as “dangrouspassword,” a North Korea–linked cybercrime actor known for social engineering campaigns targeting individuals in the crypto and VC space.

"Biggest lesson: keep assets on a cold wallet, separate device. No shortcuts. These social engineering scams are only going to get more sophisticated with deepfake video and audio. Doesn’t matter if it’s Zoom or Gmeet - keep your asset device fully isolated.That’s what saved others who still got on a call with the impersonator. Wish I had done the same. Hard lesson."

Total Amount Recovered

Mehdi reports that his only father and someone named Ammar Zaeem offered him financial assistance. There was some assistance in tracing his funds to North Korean hackers.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Mehdi continues to post further updates about the level of assistance offered. It does not appear likely that funds will be recovered from North Korea.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Mehdi Farooq - "One minute I was prepping for a Zoom call. Ten minutes later, large part of my life savings were gone. It started with a message on Telegram from Alex Lin — someone I knew. He wanted to catch up." - Twitter/X (Accessed Jul 22, 2025)
  2. Mehdi Farooq - "My laptop compromised computer lately" - Twitter/X (Accessed Jul 22, 2025)
  3. Mehdi Farooq - "I’m not sure - but the video was being played during the zoom call - it looked like they were trying to speak to me but I couldn’t hear them as there was audio issue - so they pinged me to on Zoom and TG to repair audio. That’s how they got me." - Twitter/X (Accessed Jul 22, 2025)
  4. Mehdi Farooq - "When my wallet got hacked, @ammar_zaeem was the only one besides my own dad who offered to help me financially." - Twitter/X (Accessed Jul 22, 2025)
  5. Tay - "This is actually a super common tactic that I've seen with scammers and thieves, especially those who are relatively deeply integrated into the system they are scamming and defrauding." - Twitter/X (Accessed Jul 22, 2025)
  6. Mehdi Farooq - "In an industry built on Telegram, Proof of Humanity isn’t just nice to have anymore. It’s becoming critical." - Twitter/X (Accessed Jul 22, 2025)
  7. [ ] (Accessed Jan 16, 2022)
  8. TheNFTJett - "They almost got me Alex" - Twitter/X (Accessed Jul 22, 2025)
  9. Alexander Lin - "I have reclaimed my telegram handle, @linfluence, bc it is ubiquitous with X and my other online identities. old acc still compromised - stay safe!" - Twitter/X (Accessed Jul 22, 2025)
  10. Alexander Lin - "the hacker has removed the username. at this time, refrain from any correspondence with me on Telegram. Assume any account with my name is compromised unless we have directly discussed this matter via vetted channels (email, X, in-person)." - Twitter/X (Accessed Jul 22, 2025)
  11. Crypto VC partner loses ‘life savings’ during fake Zoom call - CoinTelegraph (Accessed Jul 22, 2025)
  12. Mehdi Farooq - "Appreciate all the kind messages on X and TG - reminds me there are still many good people out there." - Twitter/X (Accessed Jul 22, 2025)
  13. Crypto Investor Loses Savings in Sophisticated Phishing Attack - AInvest (Accessed Jul 22, 2025)
  14. Mehdi Farooq - Twitter/X (Accessed Jul 22, 2025)
  15. Mehdi Farooq - LinkedIn (Accessed Jul 22, 2025)
  16. Mehdi Farooq - CypherHunter (Accessed Jul 22, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Mehdi_Farooq_Alex_Lin_Zoom_Phishing_Drains_Life_Savings&oldid=6813"