North Korean Hackers Use Deepfake Zoom Calls in Crypto Theft Attempts

North Korean cybercriminals have escalated their tactics, employing sophisticated deepfake technology in an attempt to pilfer cryptocurrency. In a recent incident detailed by cybersecurity firm Huntress, a crypto foundation employee was targeted in a cunning scheme involving an AI-generated Zoom call that ultimately led to the download of macOS malware. This attack has been attributed to BlueNoroff, a notorious North Korean state-sponsored hacking group.

The elaborate deception began with a seemingly innocuous Calendly invitation. However, this seemingly legitimate link redirected the unsuspecting employee to a counterfeit Zoom domain, meticulously crafted by the attackers. Weeks later, the second phase of the operation unfolded: a scheduled Zoom meeting. Upon joining, the employee was greeted by what appeared to be senior executives from their organisation. In a chilling display of advanced AI capabilities, these "executives" were, in fact, deepfakes, complete with convincing video and audio.

During the call, the employee encountered fabricated audio issues. To "resolve" these, they were prompted to install a Zoom extension. This seemingly helpful solution was, in reality, a malicious AppleScript designed to compromise macOS systems. Huntress, who became aware of the incident in June 2025, meticulously analised the AppleScript. Their investigation revealed a dangerous payload, including commands for remote code execution, keyloggers, and backdoor access. The forensic trail led directly to BlueNoroff, also known by various aliases such as TA444, Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, and CageyChamleon.

Once activated, the malware was programmed to systematically scan the victim's hard drive for accessible cryptocurrency wallets, with the clear intent of hijacking them. Furthermore, the malicious program was designed to capture clipboard history and to erase its own tracks post-operation, making detection and recovery more challenging. This incident underscores the growing trend of state-sponsored threat actors increasingly targeting macOS users, a platform historically perceived as more secure. As a spokesperson for Huntress noted, "Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers."

To mitigate the risk of such advanced social engineering attacks, cybersecurity experts recommend several crucial precautions, particularly for remote and hybrid workers. Users should exercise extreme caution with unexpected calendar invitations, especially from unknown senders or individuals not typically involved in their meetings. Any sudden requests to switch platforms, install new software or plugins, visit unfamiliar domains, or grant remote access to devices should be treated as immediate red flags. If any suspicious indicators arise, it is imperative to disconnect from the meeting instantly and report the incident to the company's HR or cybersecurity team. Verifying the authenticity of suspicious communications through an alternative, trusted channel, such as a phone call, can be the critical step in preventing costly breaches and reputational damage.