North Korea-Linked Hackers Employ Deepfake Video Calls to Target Crypto Workers: A Growing Concern
The threat of North Korean-linked hackers targeting cryptocurrency workers through deepfake video calls is a pressing issue, with potential financial losses reaching staggering amounts. In a recent incident, BTC Prague co-founder Martin Kuchař revealed how attackers used a compromised Telegram account and a staged video call to deliver macOS malware disguised as a Zoom audio fix.
This method is reminiscent of a previously documented intrusion technique associated with North Korea's BlueNoroff, a Lazarus sub-group. The attack comes at a time when AI-driven impersonation scams have led to a record $17 billion in crypto losses in 2025, according to blockchain analytics firm Chainalysis.
The attackers' strategy involves contacting victims, setting up Zoom or Teams calls, and using AI-generated videos to impersonate someone the victim knows. They then claim an audio issue and request the victim to install a plugin or file, which, once installed, grants the attackers full system access. This access enables them to steal Bitcoin, take over Telegram accounts, and target others.
This attack is strikingly similar to a technique first documented by cybersecurity company Huntress in July last year. They reported that attackers lure crypto workers into staged Zoom calls after initial contact on Telegram, often using fake meeting links hosted on spoofed Zoom domains. During the call, the attackers claim an audio problem and instruct the victim to install a malicious AppleScript, which initiates a multi-stage macOS infection.
The malware chain installs multiple payloads, including persistent backdoors, keylogging tools, and crypto wallet stealers. This sequence of events is consistent with Kuchař's experience when his Telegram account was compromised and later used to target others in the same manner.
Security researchers at Huntress have attributed the intrusion to a North Korea-linked advanced persistent threat, TA444, also known as BlueNoroff and the Lazarus Group. This state-sponsored group has been focused on cryptocurrency theft since at least 2017.
Shān Zhang, chief information security officer at blockchain security firm Slowmist, suggests a possible connection between the latest attack on Kuchař and broader campaigns from the Lazarus Group. However, he emphasizes that no single indicator is decisive, and it's the combination of factors that matters.
David Liberman, co-creator of decentralized AI compute network Gonka, highlights the need for improved security measures. He states that images and videos can no longer be trusted as reliable proof of authenticity and suggests that digital content should be cryptographically signed by its creator, requiring multi-factor authorization.
The use of familiar social patterns in these attacks makes them even more insidious. North Korea's Lazarus Group has been linked to campaigns targeting crypto firms, workers, and developers, employing tailored malware and sophisticated social engineering to steal digital assets and access credentials.
