North Korea–Linked Hackers Use Deepfake Video Calls to Target Crypto Workers

North Korea-linked hackers continue to use live video calls, including AI-generated deepfakes, to trick crypto developers and workers into installing malicious software on their own devices.

In the latest instance disclosed by BTC Prague co-founder Martin Kuchař, attackers used a compromised Telegram account and a staged video call to push malware disguised as a Zoom audio fix, he said.

The “high-level hacking campaign” appears to be “targeting Bitcoin and crypto users,” Kuchař disclosed Thursday on X.



Attackers contact the victim and set up a Zoom or Teams call, Kuchař explained. During the call, they use an AI-generated video to appear as someone the victim knows.

They then claim there is an audio problem and ask the victim to install a plugin or file to fix it. Once installed, the malware grants attackers full system access, allowing them to steal Bitcoin, take over Telegram accounts, and use those accounts to target others.

It comes as AI-driven impersonation scams have pushed crypto-related losses to a record $17 billion in 2025, with attackers increasingly using deepfake video, voice cloning, and fake identities to deceive victims and gain access to funds, according to data from blockchain analytics firm Chainalysis.

Similar attacks

The attack, as described by Kuchař, closely matches a technique first documented by cybersecurity company Huntress, which reported in July last year that these attackers lure a target crypto worker into a staged Zoom call after initial contact on Telegram, often using a fake meeting link hosted on a spoofed Zoom domain.

During the call, the attackers would claim there is an audio problem and instruct the victim to install what appears to be a Zoom-related fix, which is actually a malicious AppleScript that initiates a multi-stage macOS infection, according to Huntress.

Once executed, the script disables shell history, checks for or installs Rosetta 2 (a translation layer) on Apple Silicon devices, and repeatedly prompts the user for their system password to gain elevated privileges.

The study found that malware chain installs multiple payloads, including persistent backdoors, keylogging and clipboard tools, and crypto wallet stealers, a similar sequence Kuchař pointed to when he disclosed on Monday that his Telegram account was compromised and later used to target others in the same way.

Social patterns

Security researchers at Huntress have attributed the intrusion with high confidence to a North Korea-linked advanced persistent threat tracked as TA444, also known as BlueNoroff and by several other aliases operating under the umbrella term Lazarus Group, a state-sponsored group focused on cryptocurrency theft since at least 2017.

When asked about the operational goals of these campaigns and whether they think there’s a correlation, Shān Zhang, chief information security officer at blockchain security firm Slowmist, told Decrypt that the latest attack on Kuchař is “possibly” connected to broader campaigns from the Lazarus Group.

“There is clear reuse across campaigns. We consistently see targeting of specific wallets and the use of very similar install scripts,” David Liberman, co-creator of decentralized AI compute network Gonka, told Decrypt.

Images and video “can no longer be treated as reliable proof of authenticity,” Liberman said, adding that digital content “should be cryptographically signed by its creator, and such signatures should require multi-factor authorization.”

Narratives, in contexts such as this, have become “an important signal to track and detect” given how these attacks “rely on familiar social patterns,” he said.

North Korea’s Lazarus Group is tied to campaigns against crypto firms, workers, and developers, using tailored malware and sophisticated social engineering to steal digital assets and access credentials.

Source