North Korean hackers use deepfake Zoom calls to steal $300 million from crypto professionals

North Korean hackers are once again targeting cryptocurrency developers and industry professionals through live Zoom calls, using deepfake technology and compromised messaging accounts to deliver malware to unsuspecting victims.

According to BTC Prague co-founder Martin Kuchař, the hackers are leveraging hijacked Telegram accounts to pose as trusted contacts.

In a post on X, Kuchař said he was personally targeted after attackers took over a known account and used it to initiate a video call.

During the call, the attackers impersonate the victim’s acquaintance using AI generated video while remaining muted throughout the session. This tactic is designed to appear like a genuine technical issue rather than suspicious behavior.

The scam escalates when the hackers persuade the victim to install a supposed audio fix, often presented as a plugin or file. Instead of resolving any issue, the download installs malware typically a Remote Access Trojan that gives the attackers full control of the victim’s system.

Once access is secured, North Korean hackers can view Telegram contacts and reuse the compromised account to target others in the same network allowing the campaign to spread rapidly within crypto circles.

Kuchař urged professionals to stay alert as North Korean hackers continue refining their social engineering tactics.

Security researchers at Huntress have also linked similar campaigns to TA444, a North Korean state-sponsored threat actor associated with the Lazarus Group.

Their findings show North Korean hackers repeatedly using trusted communication channels to bypass skepticism.

North Korean hackers have drained over $300m

While the technique is not new, North Korean hackers have already stolen more than $300 million using comparable methods according to recent warnings from MetaMask security researcher Taylor Monahan.

Monahan noted that North Korean hackers often study prior chat histories to understand their targets tailoring conversations to build trust before launching the attack.

Those most at risk are deeply embedded in the crypto ecosystem, including developers, exchange employees, and senior executives.

In one high profile case last September, North Korean hackers targeted a THORChain executive, draining approximately $1.3 million from a MetaMask wallet without triggering system prompts or administrator approval highlighting how sophisticated and dangerous these campaigns have become.