One Click in Zoom — and Your Crypto Wallet Is Empty: How Hackers Robbed an NFT Guru
He believed in blockchain — but fell for a simple trick. After reading this, you’ll definitely want to disable one Zoom setting.
Jake Gallen wasn’t just a face of the NFT scene — he symbolized openness in a world where most hide behind avatars and pseudonyms. A well-known figure in crypto, he hosted streams, podcasts, and even shared the contents of his wallet publicly. Everything was going great — until a single Zoom call wiped it all out.
In April 2025, Gallen agreed to an interview with a YouTube channel called Tactical Investing. The channel looked legit: thousands of subscribers, old videos, and familiar names. The host didn’t turn on their camera — odd, but not suspicious. The questions were sharp and professional. Gallen didn’t think twice.
During the interview, as the conversation turned to Emblem Vault, a standard Zoom notification popped up — a window requesting screen sharing. It's a common occurrence, and Gallen, focused on the talk, clicked "Allow", thinking he was simply showing the UI of his app. But that window held more than it seemed.
Security experts later determined it wasn't just a screen-sharing request. Zoom had triggered a remote control permission prompt, which — by default — is available to the host of a meeting. The notification looked almost identical to the usual sharing prompt. Distracted, Gallen clicked “Allow” — giving full control of his machine to the attacker.
The hackers, pretending to be the YouTube host, acted instantly: within seconds, they accessed open browser tabs, running apps, documents — and most crucially, his crypto wallet and locally stored seed phrases. No phishing, no malware — just interface manipulation and awareness of how Zoom permissions work.
By the next morning, his NFTs were being sold off at suspiciously low prices. His accounts were compromised. Desperate, Gallen reached out to white-hat hackers, who traced the attack back to a group called ELUSIVE COMET — not the expected Korean actors, but Western imitators using similar techniques.
Everything came down to one default Zoom feature: the host can request remote access to a participant’s device. If the user doesn't notice the subtle difference in the prompt — game over. One click, and everything’s gone.
Later, Gallen discovered that even the Tactical Investing channel had been hacked. The real owner — a U.S. Air Force officer — even sent a video of himself holding a badge to prove it.
The damage: around $200,000.
Now, Gallen shares his story not for hype, but as a warning: in the crypto world where trust in code is everything, it only takes one user’s trust in a UI to bring it all crashing down.
He believed in blockchain — but fell for a simple trick. After reading this, you’ll definitely want to disable one Zoom setting.
Jake Gallen wasn’t just a face of the NFT scene — he symbolized openness in a world where most hide behind avatars and pseudonyms. A well-known figure in crypto, he hosted streams, podcasts, and even shared the contents of his wallet publicly. Everything was going great — until a single Zoom call wiped it all out.
In April 2025, Gallen agreed to an interview with a YouTube channel called Tactical Investing. The channel looked legit: thousands of subscribers, old videos, and familiar names. The host didn’t turn on their camera — odd, but not suspicious. The questions were sharp and professional. Gallen didn’t think twice.
During the interview, as the conversation turned to Emblem Vault, a standard Zoom notification popped up — a window requesting screen sharing. It's a common occurrence, and Gallen, focused on the talk, clicked "Allow", thinking he was simply showing the UI of his app. But that window held more than it seemed.
What Actually Happened
Security experts later determined it wasn't just a screen-sharing request. Zoom had triggered a remote control permission prompt, which — by default — is available to the host of a meeting. The notification looked almost identical to the usual sharing prompt. Distracted, Gallen clicked “Allow” — giving full control of his machine to the attacker.
The hackers, pretending to be the YouTube host, acted instantly: within seconds, they accessed open browser tabs, running apps, documents — and most crucially, his crypto wallet and locally stored seed phrases. No phishing, no malware — just interface manipulation and awareness of how Zoom permissions work.
By the next morning, his NFTs were being sold off at suspiciously low prices. His accounts were compromised. Desperate, Gallen reached out to white-hat hackers, who traced the attack back to a group called ELUSIVE COMET — not the expected Korean actors, but Western imitators using similar techniques.
The Fatal Zoom Setting
Everything came down to one default Zoom feature: the host can request remote access to a participant’s device. If the user doesn't notice the subtle difference in the prompt — game over. One click, and everything’s gone.
Later, Gallen discovered that even the Tactical Investing channel had been hacked. The real owner — a U.S. Air Force officer — even sent a video of himself holding a badge to prove it.
The damage: around $200,000.
Now, Gallen shares his story not for hype, but as a warning: in the crypto world where trust in code is everything, it only takes one user’s trust in a UI to bring it all crashing down.
