North Korean Hackers Use AI Deepfakes in $17B Crypto Scam

The attack vector, as detailed by BTC Prague co-founder Martin Kuchař, follows a chillingly consistent script. Attackers, operating from a compromised Telegram account, initiate contact and arrange a video call on platforms like Zoom or Microsoft Teams. During the call, they deploy an AI-generated deepfake video to convincingly impersonate someone the victim knows, building immediate trust. The ruse then pivots to a technical fault: the attackers claim an audio problem and instruct the victim to download and install a supposed plugin or fix. This file, however, is malicious macOS malware that, once executed, grants the attackers full system access.

This method is not new but has been refined. Cybersecurity firm Huntress documented an identical technique in July of last year, noting attackers used fake meeting links on spoofed Zoom domains. The malicious payload is typically an AppleScript that initiates a multi-stage infection. According to Huntress, the script first disables shell history, checks for or installs Rosetta 2 on Apple Silicon devices, and then repeatedly prompts the user for their system password to gain elevated privileges. The final stage deploys a suite of payloads including persistent backdoors, keyloggers, clipboard monitors, and specialized cryptocurrency wallet stealers.

The operational goal is direct financial theft. As Kuchař experienced, the malware allows attackers to steal Bitcoin and other digital assets directly from the compromised system. Crucially, it also hijacks communication accounts like Telegram, which are then used as new launchpads to target the victim’s contacts, creating a self-perpetuating chain of compromise. This efficient reuse of compromised infrastructure for further social engineering is a hallmark of the campaign’s sophistication.

Security researchers have attributed these intrusions with high confidence to a North Korean advanced persistent threat tracked as TA444, better known as BlueNoroff, a sub-group operating under the umbrella of the notorious Lazarus Group. This state-sponsored entity has focused on cryptocurrency theft since at least 2017, financing the regime’s activities through digital asset raids. Shān Zhang, Chief Information Security Officer at blockchain security firm Slowmist, told Decrypt that the latest attack on Kuchař is “possibly” connected to these broader Lazarus campaigns.

The technical consistency across incidents points to a coordinated operation. “There is clear reuse across campaigns. We consistently see targeting of specific wallets and the use of very similar install scripts,” David Liberman, co-creator of the decentralized AI compute network Gonka, explained to Decrypt. This campaign arrives amid a staggering surge in crypto-related fraud. Data from blockchain analytics firm Chainalysis reveals that AI-driven impersonation scams have pushed total crypto losses to a record $17 billion in 2025, with deepfake video, voice cloning, and fake identities becoming tools of choice for deceiving victims and accessing funds.

The targeting is deliberate and narrow. North Korea’s Lazarus Group has consistently trained its resources on crypto firms, developers, and high-value individual holders. By combining tailored malware with psychologically potent social engineering—leveraging the inherent trust of a video call—they achieve a high success rate. The narrative constructed by the attackers, Liberman notes, has become “an important signal to track and detect” given how these exploits “rely on familiar social patterns.”

The escalation of these attacks forces a fundamental rethink of digital trust and verification in the financial sector. The core vulnerability exploited is the human tendency to accept video and audio as incontrovertible proof of identity. “Images and video ‘can no longer be treated as reliable proof of authenticity,'” Liberman stated, articulating a new security paradigm. His proposed solution is technical and rigorous: digital content “should be cryptographically signed by its creator, and such signatures should require multi-factor authorization.”

This recommendation underscores a critical shift from passive visual verification to active cryptographic authentication. For cryptocurrency professionals and institutions handling significant assets, the incident is a stark warning. Standard security practices are insufficient against adversaries wielding generative AI to mimic colleagues and executives. The financial industry must now integrate protocols that verify not just the content of a communication, but the cryptographic identity of the sender, especially during requests for sensitive actions like software installation or fund transfers.

The campaign attributed to BlueNoroff represents more than a sophisticated hack; it is a bellwether for the future of financial cybercrime. As AI tools become more accessible, the barrier to creating convincing deepfakes lowers, making such social engineering attacks scalable. The record $17 billion in crypto losses attributed to these methods in 2025 is likely a precursor, signaling that the fusion of AI-driven impersonation and state-sponsored financial theft will be a defining challenge for digital asset security in the years to come.