North Korean hackers use AI deepfake video calls to attack cryptocurrency practitioners

Hacker groups associated with North Korea are continuously upgrading their attack methods against individuals in the cryptocurrency industry. They are using AI-generated deepfake video calls to impersonate people familiar to or trusted by the victims, enticing them to install malware.

Martin Kuchař, co-founder of BTC Prague, revealed that attackers initiate video calls using compromised Telegram accounts and lure victims into installing malicious software disguised as a plugin under the pretext of "fixing Zoom audio issues," thereby gaining complete control over the devices. Security research firm Huntress pointed out that this attack pattern is highly consistent with previous disclosures regarding actions against cryptocurrency developers. The malicious scripts can execute multi-stage infections on macOS devices, including implanting backdoors, logging keystrokes, stealing clipboard content, and accessing cryptocurrency wallet assets.

Researchers have strongly attributed this series of attacks to the North Korean state-sponsored hacker group Lazarus Group (also known as BlueNoroff). The information security head of blockchain security company SlowMist stated that such attacks exhibit clear reuse characteristics across different operations, targeting specific wallets and cryptocurrency professionals. Analysts believe that as deepfake and voice cloning technologies become more widespread, images and videos are increasingly difficult to serve as reliable evidence of identity authenticity. The cryptocurrency industry needs to remain vigilant and strengthen multi-factor authentication and security measures.