Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / Cryptopolitan /
North Korean Hackers Unleash Fake Zoom Meeting Ploy to Infiltrate Crypto Companies

North Korean Hackers Unleash Fake Zoom Meeting Ploy to Infiltrate Crypto Companies

Author:
Cryptopolitan
Published:
2026-02-11 11:41:25
6
3

State-sponsored attackers from North Korea are deploying a chillingly simple new tactic: weaponizing the trust of a scheduled video call.

The Bait-and-Switch

It starts with a legitimate-looking calendar invite. A Zoom link, a plausible agenda, maybe even a spoofed sender from a known contact. The target—often a finance or compliance officer at a cryptocurrency exchange or fund—joins, expecting business as usual. Instead, they're hit with a malicious payload disguised as a required software update or document. Click it, and the network is compromised.

Why Crypto? Follow the Money

The sector's combination of high liquidity, pseudonymous transactions, and sometimes-lax security protocols makes it a prime target for nation-state theft. These aren't random scams; they're sophisticated, persistent campaigns designed to fund a regime. It turns the 'digital gold' narrative on its head—now, your portfolio security is a matter of international geopolitics.

The New Perimeter Is Human

Firewalls and cold wallets aren't enough. The attack surface has shifted to the psychological. Security teams are now forced to train employees to distrust the very tools—email, calendars, video conferencing—that enable global business. The irony is thick enough to trade as a meme coin.

A Provocative Close

While the crypto industry obsesses over tokenomics and the next ATH, a silent war is being waged in its inboxes and shared calendars. The most critical smart contract you'll engage with today might just be the one you didn't code—the social contract of trust that a hacker is now exploiting. Maybe spend less on the Super Bowl ad and a bit more on employee phishing simulations, huh?

Fake Zoom call deploys malware attack on crypto firm

In its latest report, Google Mandiant researchers detailed their investigation into an intrusion targeting a FinTech company in the crypto industry. According to investigators, the intrusion began with a compromised Telegram account belonging to a crypto industry executive. 

The attackers used the hijacked profile to contact the victim. They gradually built trust before sending a Calendly invitation for a video meeting. The meeting LINK directed the target to a fake Zoom domain hosted on infrastructure under the threat actors’ control.

During the call, the victim reported seeing what appeared to be a deepfake video of a CEO from another crypto company.

“While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the reported ruse is similar to a previously publicly reported incident with similar characteristics, where deepfakes were also allegedly used,” the report stated.

North Korea state hackers turn to deepfake Zoom calls to hack crypto firms

Attack chain. Source: Google Cloud

The attackers created the impression of audio problems in the meeting to justify the next step. They instructed the victim to run troubleshooting commands on their device. Those commands, tailored for both macOS and Windows systems, secretly initiated the infection chain. As a result, several malware components were activated.

Mandiant identified seven distinct types of malware used during the attack. The tools were designed to access keychain and steal passwords, retrieve browser cookies and login information, access Telegram session information, and obtain other private files.

Investigators assessed that the objective was twofold: To enable potential crypto theft and harvest data that could support future social engineering attacks. The investigation revealed an unusually large volume of tooling dropped onto a single host. 

AI-linked scam clusters show higher operational efficiency

The incident is part of a broader pattern. North Korean-linked actors siphoned more than $300 million by posing as trusted industry figures during fraudulent Zoom and Microsoft Teams meetings.

The scale of activity throughout the year was even more striking. As reported by Cryptopolitan, North Korean threat groups were responsible for $2.02 billion in stolen digital assets in 2025, a 51% increase from the previous year.

Chainalysis also revealed that scam clusters tied to AI service providers show higher operational efficiency than those without such links. According to the firm, this trend suggests a future in which AI becomes a standard component of most scam operations.

In a report published last November, the Google Threat Intelligence Group (GTIG) noted the threat actor’s use of generative artificial intelligence (AI) tools, such as Gemini. They use them to produce lure materials and other crypto-related messaging as part of their efforts to support their social engineering campaigns.

Since at least 2023, the group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry, such as centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds.

Google.

The group has also been observed attempting to misuse Gemini to develop code to steal crypto assets. They also leverage deepfake images and video lures mimicking individuals in the crypto industry in their campaigns to distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK).

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2026 BTCC.com. All rights reserved

All articles reposted on this platform are sourced from public networks and are intended solely for the purpose of disseminating industry information. They do not represent any official stance of BTCC. All intellectual property rights belong to their original authors. If you believe any content infringes upon your rights or is suspected of copyright violation, please contact us at [email protected]. We will address the matter promptly and in accordance with applicable laws.BTCC makes no explicit or implied warranties regarding the accuracy, timeliness, or completeness of the republished information and assumes no direct or indirect liability for any consequences arising from reliance on such content. All materials are provided for industry research reference only and shall not be construed as investment, legal, or business advice. BTCC bears no legal responsibility for any actions taken based on the content provided herein.