North Korean hackers use deepfake Zoom calls to target crypto professionals
North Korean threat actors are once again targeting cryptocurrency developers and professionals using live video calls on Zoom to dupe them into installing malware.
- North Korean hackers are using deepfake video calls and compromised Telegram accounts to deliver malware targeting crypto professionals.
- Over $300 million has been stolen using similar tactics.
Hackers based in North Korea are using compromised Telegram accounts and deep fake AI videos to impersonate known contacts and deliver malicious payloads, according to BTC Prague co-founder Martin Kuchař.
“A high-level hacking campaign is currently targeting Bitcoin and crypto users. I have been personally affected via a compromised Telegram account,” Kuchař wrote on X.
According to his post, victims get a call from a known contact, which is originally a hijacked Telegram account taken over by attackers. Through these live calls, bad actors pretend to be the victim’s friend using deep fake technology, all while staying muted.
This silence acts as the hook, as the next stage of the attack involves convincing the victim to install a plugin or a file that claims to fix audio issues. In reality, the file houses malware, often a Remote Access Trojan, that grants attackers full system access once executed.
As soon as access is gained, attackers are able to view all Telegram contacts and reuse the compromised account to reach out to the next victim in the same manner.
“Inform your colleagues and network immediately. Do not join any unverified Zoom/Teams calls,” Kuchař added.
Security researchers at cybersecurity company Huntress have observed that similar attacks have been launched by TA444, a North Korean state-sponsored threat group that operates under the notorious Lazarus Group.
North Korean hackers have drained over $300m
Although not a new attack vector, North Korean hackers have already stolen over $300 million using similar techniques as warned by MetaMask security researcher Taylor Monahan last month.
Monahan warned that attackers often rely on previous chat history to learn more about the victims before they use it against them to gain their trust.
The most common targets are those deeply embedded in the crypto space, including developers, exchange staff, and company executives. In one example from September last year, a targeted attack against a THORchain executive led to losses of around $1.3 million after a MetaMask wallet was drained without any system prompts or requests for administrator approval.
