The 'Elusive Comet' Cyber Threat: A Deep Dive into Cryptocurrency Attacks

The ‘Elusive Comet’ attacks have emerged as a sophisticated threat in the cybersecurity landscape, particularly targeting the cryptocurrency sector. This group employs a blend of social engineering and technical exploitation to deceive and compromise high-value targets. By impersonating credible figures, such as journalists from reputable organizations like Bloomberg, they lure cryptocurrency professionals into Zoom meetings under false pretenses. Once in these meetings, the attackers exploit Zoom’s remote control feature, a tool often enabled by default, to gain unauthorized access to victims’ systems. This access is then used to deploy malware, allowing the theft of sensitive information, including cryptocurrency wallet credentials (Bleeping Computer, Help Net Security).

Modus Operandi of ‘Elusive Comet’ Attacks

Social Engineering Tactics

The ‘Elusive Comet’ group employs sophisticated social engineering tactics to deceive their targets. These tactics involve creating fake identities and scenarios to gain the trust of their victims. For instance, they often impersonate journalists or representatives from reputable organizations like Bloomberg to lure cryptocurrency professionals into Zoom meetings. The attackers use sock-puppet accounts on social media platforms such as X (formerly Twitter) to send direct messages, inviting victims to participate in fake interviews or conferences. This approach is designed to make the interaction seem legitimate and professional, thereby lowering the victim’s guard. (Bleeping Computer)

Exploitation of Zoom’s Remote Control Feature

A key component of the ‘Elusive Comet’ attack strategy is the exploitation of Zoom’s remote control feature. This feature, which is typically enabled by default, allows meeting participants to take control of another participant’s computer. The attackers use this feature to gain unauthorized access to the victim’s system. Once the victim is convinced to join a Zoom meeting, the attackers request remote control access under the guise of a legitimate need, such as troubleshooting technical issues or demonstrating a point during the interview. This access is then used to install malware or steal sensitive information, including cryptocurrency wallet credentials. (Help Net Security)

Malware Deployment

Once the attackers gain remote access to the victim’s computer, they proceed to deploy malware. This malware is designed to extract sensitive information, such as private keys and login credentials for cryptocurrency wallets. The malware may also include keyloggers to capture the victim’s keystrokes, providing the attackers with additional information to access the victim’s accounts. In some cases, the malware is sophisticated enough to bypass security measures, making it difficult for victims to detect the breach until it is too late. The deployment of malware is a critical step in the attack, as it allows the attackers to execute their primary objective: the theft of cryptocurrency assets. (Liquidity.io)

Targeting High-Value Individuals

The ‘Elusive Comet’ group specifically targets high-value individuals within the cryptocurrency community. These targets often include executives, investors, and traders who are likely to have significant amounts of cryptocurrency in their possession. By focusing on high-profile targets, the attackers maximize their potential gains from each successful attack. The group uses a combination of social media reconnaissance and phishing techniques to identify and approach these individuals. This targeted approach increases the likelihood of success, as the attackers tailor their tactics to the specific vulnerabilities and behaviors of their chosen victims. (Secure World)

Operational Security Failures

The success of the ‘Elusive Comet’ attacks highlights a critical issue in the realm of cybersecurity: operational security failures. Unlike traditional cyberattacks that exploit technical vulnerabilities, these attacks capitalize on weaknesses in human behavior and organizational processes. The attackers exploit the default settings of widely used platforms like Zoom, which are often not configured with security in mind. This reliance on default settings, combined with a lack of awareness about the potential risks, creates an environment where social engineering attacks can thrive. Organizations must recognize the importance of operational security and take proactive measures to mitigate these risks, such as disabling unnecessary features and educating employees about social engineering threats. (SC Media UK)

Expansion of Attack Vectors

In addition to exploiting Zoom’s remote control feature, the ‘Elusive Comet’ group has demonstrated a willingness to expand their attack vectors. For example, they have attempted to hack into the social media accounts of their victims to further their reach and identify additional targets. This expansion of attack vectors underscores the group’s adaptability and determination to exploit any available opportunity to achieve their goals. By diversifying their tactics, the attackers increase their chances of success and make it more challenging for victims to protect themselves. Organizations must remain vigilant and implement comprehensive security measures to defend against this evolving threat landscape. (Cyber Insider)

Final Thoughts

The ‘Elusive Comet’ attacks underscore the critical need for heightened operational security and awareness in the digital age. These attacks highlight vulnerabilities not just in technology, but in human behavior and organizational processes. By exploiting default settings and social engineering tactics, attackers can bypass traditional security measures. Organizations must prioritize security training and proactive measures, such as disabling unnecessary features and educating employees about potential threats. As the ‘Elusive Comet’ group continues to adapt and expand their attack vectors, vigilance and comprehensive security strategies are essential to protect against these evolving threats (SC Media UK, Cyber Insider).

References

• Bleeping Computer. (2025). Hackers abuse Zoom remote control feature for crypto theft attacks. https://www.bleepingcomputer.com/news/security/hackers-abuse-zoom-remote-control-feature-for-crypto-theft-attacks/
• Help Net Security. (2025). Zoom remote control attack. https://www.helpnetsecurity.com/2025/04/18/zoom-remote-control-attack/
• Liquidity.io. (2025). Crypto exec warns of ‘Elusive Comet’ threat after losing 75% of assets. https://liquidity.io/news/crypto-exec-warns-of-elusive-comet-threat-after-losing-75-of-assets
• Secure World. (2025). Zoom remote control cryptocurrency heists. https://www.secureworld.io/industry-news/zoom-remote-control-cryptocurrency-heists
• SC Media UK. (2025). Zoom remote feature exploited in North Korean crypto theft operations. https://www.scmediauk.com/zoom-remote-feature-exploited-in-north-korean-crypto-theft-operations
• Cyber Insider. (2025). Zoom’s remote control feature exploited in ‘Elusive Comet’ attacks. https://cyberinsider.com/zooms-remote-control-feature-exploited-in-elusive-comet-attacks/