North Korea has recently been using fake AI-powered Zoom calls to target individuals in the cryptocurrency sector and empty their wallets in a matter of minutes. How can a simple video conference be enough to take full control of your devices and bypass the vigilance of even the most savvy users?
A large-scale program aimed at funding public accounts
Since early 2020, North Korea has been conducting a global operation to infiltrate companies using its army of “fake remote workers” as part of a revenue-generating program for the government. It appears that part of this workforce has recently been reassigned to a brand-new social engineering campaign, this time targeting the cryptocurrency sector.
WARNING (AGAIN)
DPRK threat actors are still scamming way too many of you via their fake Zoom / fake Teams meetings.
They’re taking over your Telegram accounts -> using them to scam all your friends.
They’ve already stolen over $300m using this method.
Read this. Stop the cycle. pic.twitter.com/tJTo9lkq0v
— Tay (@tayvano_) December 13, 2025
Recently, nearly $300 million was stolen, according to Taylor Monahan (better known by the pseudonym Tayvano), a security researcher at MetaMask.
The modus operandi is fairly well known and documented, as Microsoft Threat Intelligence has been monitoring these activities since 2024. The attacker begins by stealing a coherent and legitimate profile tailored to the target they are aiming for. They then create an entire digital ecosystem around this stolen profile (messaging apps, social media, GitHub or LinkedIn profiles) to establish a legitimate digital footprint.
Artificial intelligence (AI) is then used to superimpose the image from their source profile onto images and videos that serve their objectives. They also use VPNs, VPSs, proxy services, and RMM tools to obscure their geolocation and true digital identity.
This is also what Clarisse Hagège, founder of Dfns, recently told us; she revealed that she had been the target of a hacking attempt carried out by three North Korean hackers.
She also emphasizes that the cryptocurrency sector is a prime target in North Korea’s strategy. Listen to our full interview on our podcast:
Candidates must provide at least three references from their previous jobs. People forget to do this, but it works very well.
A social engineering campaign exploiting platforms such as Teams or Zoom
This strategy is now being repurposed and directed toward new targets. As Taylor Monahan describes, the attack originates from the compromise of a legitimate Telegram account. These target accounts are often venture capitalists or speakers—profiles that can exploit our authority bias.
After carefully analyzing the conversation history of their first victim to build their cover story, they will exploit the contacts already established. These contacts will be directed to Zoom or Teams meetings via a disguised Calendly link.
In the news – North Korea is reportedly behind the $30 million hack of Upbit
In the video, the victim interacts with a repurposed recording of a podcast or public appearance by the authority figure; thanks to clever use of AI, the video feed appears legitimate.
The attacker then simulates audio or video issues. They ask the victim to download an SDK to restore the connection. This SDK deploys a malicious script, installing malware on the target’s machine. This Trojan grants complete control over the victim’s computer, providing full access to the target’s wallets.
Strengthen your operational security and stay vigilant
To protect yourself from these types of threats, it is essential to use strong (strong password) and multi-factor (MFA and 2FA apps) authentication on your communication applications.
It is also important to remember that during a conversation with your contact, you must know who is writing to you (authenticity), you must know that what they are writing to you has not been altered (integrity), and you must ensure that no one else knows what you have exchanged (confidentiality).
Furthermore, never download data packets if you are not certain of their integrity and legitimacy. If this is not the case, you can open them in a dedicated virtual machine to verify their contents.
Finally, if your Telegram account is compromised, delete your account and alert your contacts to warn them and break the chain of scams.
Stay vigilant and keep in mind that your human nature makes you susceptible to cognitive biases (authority bias, familiarity bias, urgency bias, etc.). When these biases are exploited, you are likely to fall victim.