Cryptocurrency Fraud
,
Fraud Management & Cybercrime
,
Social Engineering
Video of Industry Figures Harvested During Meetings and Used to Lure Future Victims
Mathew J. Schwartz (euroinfosec) •
April 27, 2026
Image: Sam Art Design/Shutterstock
Fake online meetings with cryptocurrency executives recorded become avenues for real fraud, warn researchers who say North Korean hackers have taken to harvesting video of real-life industry figures to lure future victims.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
A Monday report from cybersecurity firm Arctic Wolf says money-hungry North Korean hackers have taken impersonation to new heights by capturing video footage when a victim joins a virtual meeting.
Here’s how the attacks unfold: Victims receive a Calendly invite – typically for months in the future – for a “catch-up” meeting in the form of a Google Meet event, ostensibly sent by a well-known individual in the field. If they accept, the attacker later swaps out the link for a typosquatted Zoom or Teams link that looks legitimate, down to “the URL structure, including meeting ID and password parameter,” the researchers said.
When a victim clicks on the link, they’re taken to a self-contained JavaScript that displays a perfect replica of Zoom or Teams. After clicking “Join,” the app requests video and audio access, as would be normal. “The fake meeting room they enter is populated with what appear to be other participants: their video tiles show faces, there’s apparent motion and an ‘active speaker’ indicator cycles between participants every three to five seconds to simulate the rhythm of a real conversation,” Arctic Wolf said.
“But none of this is live.”
The attacker-built app is replaying “pre-staged media assets, loaded by the HTML page at runtime: either stolen footage of real people, artificial intelligence-generated still images or deepfake composite video,” they said. As the attack unfolds, the next ruse centers on the audio not working, which leads to a ClickFix-style attack, which often involves attackers pushing an “SDK Update” script, designed to download second-stage malware.
Whether or not the attackers successfully exfiltrate data from a victim’s system, they can also use captured footage as a lure for future targets. “The victim becomes a future ‘meeting participant’ in attacks targeting other people in their own professional network. This is the self-reinforcing engine powering the whole campaign: each new victim generates the raw material needed to make the next attack more convincing,” Arctic Wolf said.
The firm said with “high confidence,” including based on infrastructure overlaps with previously seen campaigns, this campaign appears to be the work of the financially motivated threat group tracked as BlueNoroff, a subset of the Lazarus nation-state hacking team tied to the North Korean military’s Reconnaissance General Bureau, the country’s leading foreign intelligence agency.
Also tracked as APT38, Stardust Chollima and Nickel Gladstone, and active since at least 2014, the group’s previous hits have included the attempted SWIFT heist of nearly $1 billion from Bangladesh Bank in 2016, resulting in the successful theft of $81 million.
Probing a targeted attack against an unnamed Web3 or cryptocurrency figure in North America that led to a network intrusion on Jan. 23, the researchers said they gained access to the attackers’ infrastructure and discovered 100 additional targets of the group – 41 in the United States, 11 in Singapore and 7 in the United Kingdom. Of the targets, 80% operate in the cryptocurrency space, and 45% are CEOs or founders, they said.
Researchers also found over 80 typosquatted domains designed to look like real Zoom or Teams links, all of which were registered from late in 2025 through last month.
BlueNoroff continues to refine its tactics. Cybersecurity firm Huntress, in a June 2025 teardown of an earlier version of this campaign targeting macOS users, said up to eight different malicious binaries might get installed on a victim’s system, ranging from keyloggers, to backdoors, to crypto stealers.
The campaigns reflect the Democratic People’s Republic of Korea’s insatiable appetite for cash. Hackers tied to the DPRK, ruled from Pyongyang by the brutal, hereditary dictator Kim Jong Un, continue to pummel cryptocurrency exchanges and crypto holders alike. The stolen funds enable the regime to maintain its luxurious lifestyle, as well as support the country’s development of weapons of mass destruction, including nuclear weapons and ballistic missiles
Blockchain intelligence firm Chainalysis said North Korea stole $2 billion in cryptocurrency last year, a 51% increase from 2024, bringing its total crypto haul to $6.75 billion (see: North Korean Hackers Tied to $1.3B in Stolen Crypto in 2024).
North Korea is already suspected of being behind the largest cryptocurrency theft to date this year, involving 116,500 Liquid Restaking tokens linked to ethereum and worth about $290 million, from KelpDAO’s LayerZero bridge. “This was not a smart contract hack, but a sophisticated attack on off-chain infrastructure,” Chainalysis said.
LayerZero said the attack appeared to be executed by a Lazarus sub-group tracked as TraderTraitor, which has been tied to some of the largest crypto heists in history. LayerZero, which runs a blockchain interoperability protocol, said the hackers exploited KelpDAO’s failure to follow industry best practices – and its long-standing guidance – when it only used a sole decentralized verifier network to safeguard transactions.