What To Know:
- North Korea–linked hackers are using AI-generated deepfake video calls to impersonate trusted contacts and trick crypto workers into installing malware.
- The attacks typically begin on Telegram, move to fake Zoom or Teams meetings, and exploit claims of audio issues to push malicious software.
- Once installed, the malware enables wallet theft, account takeovers, and wider targeting across the crypto ecosystem.
North Korea-linked cybercriminals are escalating their attacks on the cryptocurrency sector by now using live deepfake video calls to compromise developers, founders, and operational staff.
Security researchers say these tactics are now moving toward highly personalized social engineering that blends artificial intelligence with direct human interaction. This tactic helps miscreants gain trust quickly, breach personal devices, and quietly extract cryptos and credentials.
North Korea: Hackers Resort to Deepfake To Attack Crypto Industry
The latest incident was disclosed by Martin Kuchař, co-founder of BTC Prague, who revealed that attackers used a hijacked Telegram account to initiate contact before arranging a staged video meeting. During the call, the hackers deployed an AI-generated deepfake to impersonate someone familiar to the target.
🚨Urgent Security Warning: Sophisticated Phishing Attack on Crypto Community‼️
A high-level hacking campaign is currently targeting Bitcoin and crypto users. I have been personally affected via a compromised Telegram account.
The Attack Vector:
– Attackers initiate a Zoom or…— Martin Kuchař (@kucharmartin_) January 22, 2026
According to Kuchař’s post on X, the operation followed a consistent pattern. After initiating contact, the attackers scheduled a Zoom or Microsoft Teams meeting. Once the call began, the impersonator claimed there was an audio malfunction. The victim was then urged to install what was described as a necessary plugin or software fix. The file was malicious.
Once installed, the malware granted full access to the system. From there, attackers were able to extract Bitcoin, compromise crypto wallets, seize Telegram accounts, and reuse those accounts to target additional victims.
Kuchař described the activity as a high-level hacking campaign aimed directly at Bitcoin users and professionals working inside the crypto ecosystem.
Blockchain analytics firm Chainalysis estimates that crypto-related losses tied to such tactics reached a record $17 billion in 2025. Deepfake video, cloned voices, and fabricated digital identities are now central tools in these operations.
Cybersecurity experts note that the attack method closely mirrors techniques documented earlier by threat intelligence firm Huntress.
In a report published last year, Huntress detailed how North Korea–linked attackers would approach crypto workers on Telegram and direct them toward fake video conferencing links hosted on domains designed to mimic Zoom. During the meeting, the attackers claimed audio issues and instructed the victim to install a supposed fix.
Behind the interface, the file executed a malicious AppleScript that triggered a multi-stage macOS infection.
The script disabled shell history, checked for the presence of Rosetta 2 on Apple Silicon devices, and repeatedly prompted users to enter their system password. Once elevated privileges were granted, the malware installed multiple payloads including persistent backdoors, keyloggers, clipboard monitoring tools, and crypto wallet stealers.
Kuchař later confirmed that after his own Telegram account was compromised, it was used to contact others using the same approach.
Researchers at Huntress attribute the intrusion with high confidence to a North Korea–linked advanced persistent threat group tracked as TA444. The group is also known as BlueNoroff and operates under the broader Lazarus Group umbrella.
Lazarus has been connected to crypto-focused cyber operations since at least 2017 and is believed to be one of the primary sources of state-backed digital asset theft.
Shān Zhang, chief information security officer at blockchain security firm SlowMist, said the attack on Kuchař aligns closely with known Lazarus tradecraft.
According to Zhang, no single indicator confirms attribution. Instead, investigators look at combined signals such as reused scripts, wallet targeting patterns, infrastructure similarities, and behavioral timing.
Deepfake-enabled lures, he explained, typically rely on newly created meeting accounts and imitation conferencing links. The conversation quickly becomes structured and time-sensitive, with intentional pressure applied early to convince the victim to install the software fix.
David Liberman, co-creator of decentralized AI computer network Gonka, said researchers continue to observe repeated technical patterns across campaigns. Similar installation scripts appear across multiple incidents, often targeting specific wallets or developer environments.
Also Read: Flow Foundation Unveils Revised Recovery Plan After Network Attack
