North Korea has recently been using fake AI-powered Zoom calls to trap cryptocurrency users and empty their wallets in a matter of minutes. How can a simple video conference be enough to take complete control of your devices and bypass even the most vigilant security measures?
A large-scale program aimed at filling public coffers
Since the beginning of 2020, North Korea has been conducting a global operation to infiltrate companies with its army of “fake teleworkers” as part of a program to generate revenue for the government. It appears that part of this workforce has recently been reassigned to a brand new social engineering campaign, this time targeting the cryptocurrency sector.
🚨 WARNING (AGAIN)
DPRK threat actors are still rekting way too many of you via their fake Zoom / fake Teams meets.
They’re taking over your Telegrams -> using them to rekt all your friends.
They’ve stolen over $300m via this method already.
Read this. Stop the cycle. 🙏 pic.twitter.com/tJTo9lkq0v
— Tay 💖 (@tayvano_) December 13, 2025
Recently, nearly $300 million has been stolen, according to Taylor Monahan (better known by the pseudonym Tayvano), a security researcher at MetaMask.
The modus operandi is fairly well known and documented, as Microsoft Threat Intelligence has been monitoring these activities since 2024. The attacker will start by stealing a consistent and legitimate profile based on their target. They will then create an entire digital ecosystem around this stolen profile (messaging, social media, GitHub or LinkedIn profiles) in order to establish a legitimate digital footprint.
Artificial intelligence (AI) is then used to superimpose the image from their source profile onto images and videos that serve their purposes. They also use VPNs, VPSs, proxy services, and RMM tools to obscure their geolocation and true digital identity.
This is also what Clarisse Hagège, founder of Dfns, recently told us when she confided that she had been the target of an intrusion attempt by three North Korean hackers.
She also points out that the cryptocurrency sector is a prime target in North Korea’s strategy. Listen to our full interview in our podcast:
Candidates must provide at least three references from previous jobs. People forget to do this, but it works very well.
A social engineering campaign exploiting platforms such as Teams and Zoom
This strategy is now being recycled and directed toward new targets. As Taylor Monahan describes, the attack originates from the compromise of a legitimate Telegram account. These target accounts are often venture capitalists or conference speakers, profiles that can exploit our authority bias.
After carefully analyzing the conversation history of their first victim to fuel their cover story, they exploit their existing contacts. These contacts are directed to Zoom or Teams meetings via a disguised Calendly link.
🇰🇵 In the news – North Korea is believed to be behind the $30 million hack of Upbit
In the video, the victim interacts with a recycled recording of a podcast or public appearance by the authority figure. Thanks to clever use of AI, the video stream appears legitimate.
The attacker then simulates audio or video problems. They ask their victim to download an SDK that will allow them to reestablish the connection. The SDK deploys a malicious script, installing malware on the target’s machine. This Trojan horse grants complete control over the victim’s computer, giving full access to the target’s wallets.
Strengthen your operational security and remain vigilant
To protect yourself from these types of threats, it is essential to have strong authentication (strong password) and multi-factor authentication (MFA and 2FA application) on your communication applications.
It is also important to remember that when chatting with someone, you need to know who is writing to you (authenticity), you need to know that what they are writing to you has not been altered (authenticity), and you need to ensure that no one else knows what you have exchanged (confidentiality).
In addition, never download data packages if you are not certain of their integrity and legitimacy. If this is not the case, you can open them in a dedicated virtual machine to check their content.
Finally, if your Telegram account is compromised, delete your space and alert your contacts to warn them and break the chain of scams.
Be vigilant and keep in mind that your anthropological functioning exposes you to cognitive biases (authority bias, familiarity bias, urgency bias, etc.). When these are exploited, you are likely to fall prey to them.
