{"id":60462,"date":"2026-01-27T09:39:15","date_gmt":"2026-01-27T02:39:15","guid":{"rendered":"https:\/\/hbbgroup.net\/north-korea-linked-hackers-use-deepfake-video-calls-to-target-crypto-workers\/"},"modified":"2026-01-27T09:39:15","modified_gmt":"2026-01-27T02:39:15","slug":"north-korea-linked-hackers-use-deepfake-video-calls-to-target-crypto-workers","status":"publish","type":"post","link":"https:\/\/hbbgroup.net\/vi\/north-korea-linked-hackers-use-deepfake-video-calls-to-target-crypto-workers\/","title":{"rendered":"North Korea\u2013Linked Hackers Use Deepfake Video Calls to Target Crypto Workers"},"content":{"rendered":"<div>\n<div>\n<h4 color=\"#333\">In brief<\/h4>\n<ul>\n<li>Attackers have used a fake video call and a Zoom \u201caudio fix\u201d to deliver macOS malware.<\/li>\n<li>The method matches a previously documented intrusion method tied to North Korea\u2019s BlueNoroff, a Lazarus sub-group.<\/li>\n<li>The incident comes as AI-driven impersonation scams pushed crypto losses to a record $17 billion in 2025.<\/li>\n<\/ul>\n<\/div>\n<p><span>North Korea-linked hackers continue to use live video calls, including AI-generated deepfakes, to trick crypto developers and workers into installing malicious software on their own devices.<\/span><\/p>\n<p><span>In the latest instance disclosed by BTC Prague co-founder Martin Kucha\u0159, attackers used a compromised Telegram account and a staged video call to push malware disguised as a Zoom audio fix, he said.<\/span><\/p>\n<p><span>The \u201chigh-level hacking campaign\u201d appears to be \u201ctargeting Bitcoin and crypto users,\u201d Kucha\u0159 <\/span><a href=\"https:\/\/x.com\/kucharmartin_\/status\/2014268846094311739?s=20\" target=\"_blank\" rel=\"nofollow external noopener\"><span>disclosed<\/span><\/a><span> Thursday on X.<\/span><\/p>\n<p><span>Attackers contact the victim and set up a Zoom or Teams call, Kucha\u0159 explained. During the call, they use an AI-generated video to appear as someone the victim knows.<\/span><\/p>\n<p><span>They then claim there is an audio problem and ask the victim to install a plugin or file to fix it. Once installed, the malware grants attackers full system access, allowing them to steal Bitcoin, take over Telegram accounts, and use those accounts to target others.<\/span><\/p>\n<p><span>It comes as AI-driven impersonation scams have pushed crypto-related losses to a <\/span><a href=\"https:\/\/decrypt.co\/354624\/ai-impersonation-drove-crypto-scam-losses-record-17-billion-2025-chainalysis\" target=\"_blank\"><span>record $17 billion<\/span><\/a><span> in 2025, with attackers increasingly using deepfake video, voice cloning, and fake identities to deceive victims and gain access to funds, according to data from blockchain analytics firm Chainalysis.<\/span><\/p>\n<h2 color=\"#333\"><b>Similar attacks<\/b><\/h2>\n<p><span>The attack, as described by Kucha\u0159, closely matches a <\/span><a href=\"https:\/\/www.huntress.com\/blog\/inside-bluenoroff-web3-intrusion-analysis\" target=\"_blank\" rel=\"nofollow external noopener\"><span>technique<\/span><\/a><span> first documented by cybersecurity company Huntress, which reported in July last year that these attackers lure a target crypto worker into a staged Zoom call after initial contact on Telegram, often using a fake meeting link hosted on a spoofed Zoom domain.<\/span><\/p>\n<p><span>During the call, the attackers would claim there is an audio problem and instruct the victim to install what appears to be a Zoom-related fix, which is actually a malicious AppleScript that initiates a multi-stage macOS infection, according to Huntress.<\/span><\/p>\n<p><span>Once executed, the script disables shell history, checks for or installs Rosetta 2 (a translation layer) on Apple Silicon devices, and repeatedly prompts the user for their system password to gain elevated privileges.<\/span><\/p>\n<p><span>The study found that malware chain installs multiple payloads, including persistent backdoors, keylogging and clipboard tools, and crypto wallet stealers, a similar sequence Kucha\u0159 pointed to when he disclosed on Monday that his Telegram account was <\/span><a href=\"https:\/\/x.com\/kucharmartin_\/status\/2015845157749285344?s=20\" target=\"_blank\" rel=\"nofollow external noopener\"><span>compromised<\/span><\/a><span> and later used to target others in the same way.<\/span><\/p>\n<h2 color=\"#333\"><b>Social patterns<\/b><\/h2>\n<p><span>Security researchers at Huntress have attributed the intrusion with high confidence to a North Korea-linked advanced persistent threat tracked as TA444, also known as BlueNoroff and by several other aliases operating under the umbrella term Lazarus Group, a <\/span><a href=\"https:\/\/decrypt.co\/312561\/north-koreas-hacking-ops-lazarus-group-paradigm\" target=\"_blank\"><span>state-sponsored group<\/span><\/a><span> focused on cryptocurrency theft since at least 2017.<\/span><\/p>\n<p><span>When asked about the operational goals of these campaigns and whether they think there\u2019s a correlation, Sh\u0101n Zhang, chief information security officer at blockchain security firm Slowmist, told <\/span><i><span>Decrypt<\/span><\/i><span> that the latest attack on Kucha\u0159 is \u201cpossibly\u201d connected to broader campaigns from the Lazarus Group.<\/span><\/p>\n<p><span>\u201cThere is clear reuse across campaigns. We consistently see targeting of specific wallets and the use of very similar install scripts,\u201d David Liberman, co-creator of decentralized AI compute network Gonka, told <\/span><i><span>Decrypt<\/span><\/i><span>.<\/span><\/p>\n<p><span>Images and video \u201ccan no longer be treated as reliable proof of authenticity,\u201d Liberman said, adding that digital content \u201cshould be cryptographically signed by its creator, and such signatures should require multi-factor authorization.\u201d<\/span><\/p>\n<p><span>Narratives, in contexts such as this, have become \u201can important signal to track and detect\u201d given how these attacks \u201crely on familiar social patterns,\u201d he said.<\/span><\/p>\n<p><span>North Korea\u2019s Lazarus Group is tied to campaigns against crypto <\/span><a href=\"https:\/\/decrypt.co\/329225\/inside-north-korea-hiring-scams-crypto-firms\" target=\"_blank\"><span>firms<\/span><\/a><span>, <\/span><a href=\"https:\/\/decrypt.co\/333513\/north-korean-fake-job-offers-cloud-systems-steal-billions-crypto\" target=\"_blank\"><span>workers<\/span><\/a><span>, and <\/span><a href=\"https:\/\/decrypt.co\/312797\/north-korean-it-workers-infiltrated-european-solana-based-projects-google\" target=\"_blank\"><span>developers<\/span><\/a><span>, using tailored malware and sophisticated social engineering to steal digital assets and access credentials.<\/span><\/p>\n<div>\n<h3>Daily Debrief Newsletter<\/h3>\n<p>Start every day with the top news stories right now, plus original features, a podcast, videos and more.<\/p>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In brief Attackers have used a fake video call and a Zoom \u201caudio fix\u201d to deliver macOS malware. The method [&hellip;]<\/p>","protected":false},"author":5,"featured_media":60463,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[220],"tags":[],"class_list":["post-60462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tien-dien-tu"],"acf":[],"_links":{"self":[{"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/posts\/60462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/comments?post=60462"}],"version-history":[{"count":0,"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/posts\/60462\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/media\/60463"}],"wp:attachment":[{"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/media?parent=60462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/categories?post=60462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hbbgroup.net\/vi\/wp-json\/wp\/v2\/tags?post=60462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}