North Korean hackers used AI deepfakes to steal $659M in crypto

North Korean hackers from the notorious Lazarus group used AI deepfakes to impersonate company executives during a fake Zoom call, successfully tricking an employee at a cryptocurrency foundation into downloading malware. The sophisticated social engineering attack, orchestrated by the BlueNoroff unit, demonstrates how state-sponsored cybercriminals are weaponizing AI technology to target high-value cryptocurrency assets, with North Korea having stolen at least $659 million in digital currency in 2024 alone.

The attack methodology: The hackers initiated contact through Telegram, sending a Calendly link that redirected the victim to a fake Zoom domain under their control.
• During the group video call, multiple AI-generated deepfakes of senior company leadership and external contacts convinced the employee they needed to download a special Zoom extension to fix microphone issues.
• The malicious “extension” was actually macOS malware hosted on a lookalike domain at “https[://]support[.]us05web-zoom[.]biz.”

What the malware could do: Huntress, a cybersecurity company, recovered eight different malicious programs from the infected Mac, creating a comprehensive surveillance toolkit.
• The malware enabled keylogging (recording every keystroke), screen recording, and collection of cryptocurrency-related files.
• It specifically targeted Macs running Apple’s Arm-based chips and would silently install Rosetta 2 if needed to run older x86 programs.
• The attack effectively backdoored the victim’s system, giving hackers extensive access to sensitive information.

Why this matters: The incident highlights the evolving sophistication of North Korean cyber operations and the growing threat to macOS users.
• Remote workers are “often ideal targets” for these types of attacks, according to Huntress.
• “Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers,” the cybersecurity vendor noted.

The bigger picture: This attack represents a significant escalation in social engineering tactics, combining AI deepfakes with traditional malware distribution methods to target the lucrative cryptocurrency sector.
• The Lazarus group’s BlueNoroff unit has become increasingly focused on cryptocurrency theft as part of North Korea’s broader cybercrime strategy.
• The use of AI-generated video calls marks a new frontier in deception technology, making it increasingly difficult for targets to distinguish between legitimate and malicious communications.