Crypto sector faces sharper deepfake threat

North Korean state-linked hackers have intensified attacks on cryptocurrency companies by combining fake video meetings, AI-generated identities and “ClickFix” infection tactics to compromise executives, founders and staff with access to wallets, exchanges and investment infrastructure.

A large spear-phishing operation attributed with high confidence to BlueNoroff, the financially motivated arm of the Lazarus Group, targeted a North American Web3 company through a manipulated calendar invitation that led to a spoofed Zoom meeting. The attack chain moved from a single click to full system compromise in less than five minutes, exposing the speed with which social engineering and malware deployment are now being fused in crypto-focused intrusions.

Investigators found that the attackers impersonated a figure in the fintech legal sector and used a Calendly invitation to arrange a meeting. The calendar entry was then altered to include a typo-squatted Zoom link. Once the victim joined the fake meeting interface, the page covertly captured webcam footage while pushing the user towards a technical “fix” for fabricated audio problems.

That “fix” was the core of the ClickFix technique. Victims were instructed to run troubleshooting commands that appeared to address microphone or speaker issues but instead launched malicious code. The Windows-focused chain used fileless PowerShell, command-and-control infrastructure and browser injection payloads, while earlier operations against macOS users deployed backdoors, downloaders and data-mining malware.

The campaign shows a marked shift from conventional phishing emails to interactive deception. Fake meeting rooms were populated with AI-generated headshots, stolen profile images and deepfake-style video assets designed to resemble known industry figures. For senior executives accustomed to cross-border fundraising, token listings, compliance meetings and venture discussions, the lure was tailored to routine business behaviour rather than crude fraud.

Analysis of attacker-hosted media found more than 950 files, including processed videos, profile images, synthetic portraits, scraped material and project files used to create convincing meeting participants. Eight images carried provenance markers showing they had been generated with an AI image model. Several were paired with video files, indicating their likely use in a talking-head production pipeline.

The operation also relied on a self-reinforcing method. Webcam footage and personal media stolen from one victim could be repurposed to target another, allowing compromised executives or advisers to become unwitting lures in later attacks. That approach gives attackers a growing library of authentic-looking faces, movements and professional identities that can be adapted for future campaigns.

More than 100 additional targets were identified from the attacker infrastructure. About 80 per cent were linked to cryptocurrency, blockchain finance or adjacent investment sectors, while chief executives and founders accounted for nearly 45 per cent of the target set. The heaviest concentration was in the United States, followed by Singapore and the United Kingdom, confirming that the operation was global rather than limited to one region.

BlueNoroff has long focused on financial theft. The group gained attention after the 2016 Bangladesh Bank SWIFT heist attempt, in which $951 million was targeted and $81 million was transferred. Over the following years, its operations moved deeper into digital assets as cryptocurrency exchanges, wallet providers, venture investors and software developers became attractive targets.

North Korea-linked hacking groups have been tied to some of the largest crypto thefts on record. The February 2025 Bybit breach led to the theft of about $1.5 billion in virtual assets, with stolen funds dispersed across multiple blockchains and converted into other digital currencies. Such incidents have sharpened concern that digital asset theft remains a major source of foreign currency for Pyongyang under international sanctions.

The latest BlueNoroff activity also overlaps with a broader pattern observed across North Korean cyber operations this year. Other campaigns have used compromised Telegram accounts, fake Zoom meetings and AI-enabled video lures to target crypto executives and developers. Malware families linked to those operations have been designed to steal credentials, session tokens, browser cookies, Telegram data and wallet-related information.

For crypto firms, the threat is particularly severe because personal devices and messaging accounts often provide a bridge into corporate systems. Attackers do not need to break cryptographic protections if they can compromise employees who approve transactions, administer infrastructure or manage investor communications. The blend of human trust, remote meetings and decentralised finance workflows creates openings that traditional security controls may miss.

Defensive priorities are shifting accordingly. Firms are being urged to treat unsolicited calendar invitations, meeting links and troubleshooting prompts as high-risk events, especially when they involve wallet access, listings, fundraising or legal matters. Staff should be trained that legitimate video platforms do not require terminal commands, PowerShell scripts or downloaded fixes to restore audio.