The Podcast Invite That Was Actually Malware

I got invited to a podcast this week. The host had done his homework: he knew how long I've been in the industry, name-dropped the tech I actually work with, and said my profile was "exactly what his audience wants to hear." Verified account, blue check, a few thousand followers, registered years ago.

One problem. The podcast didn't exist, and the "Google Meet link" was a delivery mechanism for malware built to empty browser sessions and crypto wallets.

I didn't get caught, but I want to walk you through exactly how it works, because this one is good. This isn't the usual "DEAR SIR, URGENT BUSINESS PROPOSAL" spam. It's a targeted, researched, multi-step con, and there's been a whole wave of these fake-meeting attacks through 2025 and 2026. If you have any kind of public track record - a blog, a GitHub, a conference talk - you're on the target list.

How the Attack Unfolds

Step 1: The flattering DM

It starts with a direct message on X. A verified account - blue check, thousands of followers, registered years ago - says they run a podcast and would love to have you on as a guest. The message references your real work. This is the part that disarms people: it doesn't read like spam because it isn't mass-sent. Someone (or someone's AI) actually researched you.

Step 2: Moving off the platform

You agree to a date, they ask for your email "to send the calendar invite." The email that arrives looks like a normal meeting invitation with a "Join with Google Meet" button. Two details are off, though both are easy to miss:

• The sender is a throwaway free email address with a name that doesn't match the X account. Different person entirely, no domain, no podcast branding.
• The button doesn't go to meet.google.com. It goes to a page hosted on a free website builder, dressed up to look like the Meet lobby.

That second point is worth repeating, because it's the single most reliable check in this whole story: a real Google Meet link is always on the meet.google.com domain. Not "almost", not "usually". Always. Anything else - a lookalike subdomain, a free-hosting page, a shortened URL that unwraps to something Google-ish - isn't Meet.

Step 3: "Just be with your PC"

Before the call, the "host" asks a strange question: will you be at your computer, on Windows? I asked why that mattered for a podcast. The full answer I got was: "just be with your pc."

Here's why they care. The whole attack depends on you sitting at a desktop machine during the "meeting", so that when the fake Meet page tells you to install something or run a "fix", you can actually do it. A phone won't execute their payload. A real podcast host couldn't care less what device you join from.

Step 4: The trap springs

The fake Google Meet page is where the technical part kicks in. Instead of a meeting, you get one of two endings:

• The installer. Through a browser protocol-handler trick, the page force-opens a URL in a specific browser and pushes a "meeting application" install. The package is self-signed - no trusted publisher, just a certificate the attacker generated themselves. The "app" is an infostealer: it grabs saved passwords, browser session cookies (which let attackers walk into your logged-in accounts without ever needing your password), and crypto wallet data.
• The login. Some variants skip the malware and simply ask you to "sign in with Google to join the waiting room." That's a straight account-takeover phish.

Either way, the moment you comply, it's over. Sessions, passwords, wallets - gone in seconds, quietly, while you sit there waiting for a podcast host who was never going to show up.

The 7 Red Flags, In Order of Appearance

Looking back at the whole exchange, the warning signs were there from the first minute. Here's the checklist version:

1. Identity mismatch. One name on X, a different name in the email, a random free email address as the sender. Real podcasts have domains, websites, and consistent branding.
2. No public footprint. A real show has episodes you can listen to, past guests you can find, a page that existed before last month. This one had nothing.
3. A "Meet" link outside meet.google.com. The number one tell. Hover before you click and read the actual domain.
4. "Be at your computer" pressure. No legitimate meeting cares about your operating system.
5. Any request to install or run something to join. Meet, Zoom, and Teams all work in a plain browser tab. "Install our meeting client to continue" is the attack, every single time.
6. The blue check means nothing. Verified accounts get bought, sold, and hijacked. Followers can be purchased by the thousand. Account age and verification prove nothing here.
7. Flattery tuned precisely to your CV. That's research, and research costs effort. Ask yourself why a stranger invested it.

How to Not Get Caught

• Never install a "meeting client" sent by someone you've never met. Every mainstream conferencing tool runs in the browser, and if you do use desktop apps, you already have them installed. There's no scenario where joining a podcast requires new software from a link in an email.
• Never run "fix" commands a meeting page gives you. A page that tells you to paste a command into your terminal, PowerShell, or the Windows Run dialog "to fix your microphone" is doing something else entirely. This pattern - known as a ClickFix attack - is one of the most effective malware delivery tricks of the past two years precisely because it makes you do the installation.
• Verify the person through an independent channel. Look up the podcast. Listen to thirty seconds of a past episode. Find the host's name on the show's website and contact them there. A real host will be happy you checked; a fake one will evaporate.
• Read domains before you click. Hover over the button, look at the status bar, read the actual hostname right-to-left. meet.google.com is Meet. A free site-builder URL with "meet" somewhere in the path isn't.

If you suspect you already ran something, do this now, in this order:

1. Disconnect the machine from the network immediately.
2. Change critical passwords from a different, clean device - email first, then anything tied to money or code.
3. Treat every browser session as compromised: log out everything, everywhere, and enable two-factor authentication as you go.
4. If you keep crypto on that machine, consider the wallet burned - migrate funds from a clean device.
5. Then scan or reinstall. Modern infostealers finish their job in the first minute, so speed matters more than forensics.

Report it. Report the account on X, report the phishing page to Google Safe Browsing and to the abuse channel of whatever free host it sits on, forward the email as phishing in your mail client. It takes five minutes and it genuinely burns the attacker's infrastructure - these campaigns reuse the same pages and accounts against many targets, and takedowns hurt them.

Why You, Specifically

Here's the uncomfortable part. This scam targets people because they have a visible body of work. Developers, founders, writers - anyone whose career is public enough to research and whose machine is likely to hold something worth stealing: GitHub sessions, cloud consoles, deploy keys, crypto wallets, client access.

Fifteen-plus years in this industry, and I still felt the pull of "someone noticed my work." That's the hook. It works on experienced people precisely because it flatters the thing we're proudest of. You won't out-think the scammer in the moment, so don't try. What works is mechanical rules that don't bend to flattery: real Meet lives on meet.google.com, real meetings never require installs, and real hosts survive a background check.

Stay paranoid. It's cheaper than the alternative. It's the same instinct that once made me dig into a weird metric and catch an attack in progress - I wrote that one up in spotting an XML-RPC brute force through a dropping cache hit rate.

And if you know someone with a public profile - a blog, a GitHub, a few conference talks - send them this post. The next "podcast invite" in their DMs might be this exact play, and the cheapest defense is having seen it once before.