Jake Gallen, the CEO of NFT platform Emblem Vault, fell victim to a sophisticated social engineering scheme that cost him over $100,000 in digital assets. The attack was carried out through Zoom and is linked to the ELUSIVE COMET group, previously known for targeting crypto users.
How It Happened
On April 11, Gallen reported on X that his computer had been completely compromised. The attackers gained access to multiple cryptocurrency wallets and stole Bitcoin and Ethereum. He explained that the incident occurred after a Zoom call where he participated as a guest. The call was initiated by a user with a verified X account and 26,000 followers, who claimed to be the CEO of a crypto mining platform.
During the conversation, the attacker did not turn on their camera, while Gallen remained on the call with screen sharing enabled. Over the course of the discussion, he was persuaded to install a malicious program called GOOPDATE. The software stole his wallet credentials and gave the attackers access to his crypto holdings.
A Sophisticated Zoom-Based Attack
According to the research group SEAL (The Security Alliance), the attack was carried out by ELUSIVE COMET — an organized group engaged in crypto theft. SEAL linked the group to the purported investment firm Aureon Capital. The attackers are known for creating elaborate cover stories and using legitimate platforms like Zoom to infect victims’ devices with malware.
SEAL and researcher Samczsun explained that Zoom, by default, allows participants to request remote access to others’ devices. This feature can be exploited to secretly take control of a victim’s computer if they confirm the request — in Gallen’s case, it appears this access was granted without his full understanding.
Even Hardware Wallets Were Compromised
Gallen noted that the attackers managed to access even his Ledger hardware wallet, which he had only connected a few times over the past three years. Although he did not store the password digitally, the system compromise allowed the attackers to bypass that safeguard as well.
Later, his X account was also hacked — the attackers attempted to use it to send direct messages to other users and lure additional victims.
Community Response and Warnings
NFT collector Leonidas confirmed that Zoom by default permits remote access and urged everyone to disable the feature. He emphasized that without doing so, any call participant could potentially gain full control of another’s computer.
Samczsun added that while Zoom requires the victim to approve a remote access request, the high level of social engineering involved in such scams makes them particularly dangerous.
SEAL is urging anyone who has interacted with Aureon Capital to immediately contact their emergency Telegram chat.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.