North Korean hackers accelerate sophisticated campaigns with AI deepfake against the crypto industry

Hackers linked to the North Korean regime are deploying new, more sophisticated attack tactics against cryptocurrency professionals using deepfake videos generated with artificial intelligence. According to recent reports, these hackers are able to deceive their targets by impersonating trusted individuals through digitally manipulated video calls, forcing the installation of malware on their devices. The operation represents a significant escalation in the cyber warfare against the cryptocurrency community, combining social engineering techniques with cutting-edge technologies.

Visual Deception: How These Sophisticated Campaigns Operate

Martin Kuchař, one of the main organizers of BTC Prague, was a victim of this advanced attack method. Cybercriminals established initial contact through compromised Telegram accounts, using deepfake video calls to impersonate known contacts. The trick employed leverages a common pretext: convincing the victim that they need to install an “audio plugin” to fix technical issues on platforms like Zoom. Once installed, the supposedly harmless software opens the door to full control of the compromised device.

This identity theft methodology through video fakes has evolved thanks to advances in voice cloning and synthetic image technology. Attackers carefully research their targets on social media and professional platforms before executing the attack, selecting high-value victims within the crypto industry.

Malicious Code Capabilities and Deployment

Security research firm Huntress has conducted an in-depth analysis of the malicious scripts used in these operations. The codes execute multi-stage infections specifically designed for macOS systems, deploying multiple dangerous functionalities progressively.

Once inside the device, the malware establishes backdoors to maintain persistent access even after the user discovers the infection. The code also logs every keystroke, capturing passwords, recovery phrases, and sensitive data. Additionally, the malware accesses the device’s clipboard content, extracting wallet addresses and private keys that have been recently copied. The ultimate goal is to compromise encrypted wallet assets stored on the machine.

Lazarus Group: The Organization Behind the Campaign

Security investigators have confidently attributed these operations to Lazarus Group, also known as BlueNoroff, a hacking organization directly sponsored by the North Korean state. This group has been responsible for some of the most notable cyberattacks against the cryptocurrency industry in recent years, including massive exchange thefts and DeFi protocol compromises.

The security team at SlowMist, a blockchain defense firm, has confirmed that these campaigns exhibit patterns consistent with previous Lazarus Group operations. The hackers demonstrate deep knowledge of crypto infrastructure, specifically targeting technical professionals, developers, and wallet operators with access to significant assets. The coordination and resources behind these operations confirm state sponsorship.

The Growing Threat of Deepfake in Identity Verification

Security analyses reveal a concerning trend: deepfake and voice cloning technologies have reached a level of sophistication where images and videos can no longer be considered reliable proof of authenticity. In the past, a video call was considered a relatively secure way to verify a contact’s identity. Today, these hackers demonstrate that digital fakes can be virtually indistinguishable from the real thing.

This fundamental shift in the threat landscape forces the crypto industry to completely rethink its security protocols. Visual trust is no longer sufficient. Crypto professionals must implement multi-layered identity verification methods that do not rely solely on visual or auditory confirmation.

Critical Defensive Measures for Crypto Professionals

In light of these hackers’ sophistication, the community must adopt more robust security practices. Multi-factor authentication is essential: any asset transfer should require multiple independent verifications, ideally through completely separate channels.

Implementing hardware security keys (such as YubiKeys) for accessing wallets and critical services is recommended, eliminating vulnerabilities from passwords captured by keyloggers. Users should be wary of any unexpected requests to install software, even if they come from seemingly trusted contacts. Verifying these requests through alternative communication channels is crucial.

Furthermore, crypto professionals should consider using dedicated devices for sensitive wallet operations, keeping these machines isolated from video conferencing apps or social media networks. The industry must stay vigilant against evolving tactics from these hackers, sharing indicators of compromise and keeping systems updated with the latest security patches.