Google Gemini Reportedly Exhibits Repeti…

BackNorth Korea-Linked Actors Allegedly Use AI Executive Deepfakes in Zoom Phishing Targeting Web3 Employee

North Korea-Linked Actors Allegedly Use AI Executive Deepfakes in Zoom Phishing Targeting Web3 Employee

Jun 22, 20251 reportHigh confidence

North Korea-linked group BlueNoroff conducted a sophisticated cyber attack against a Web3 industry employee using AI-generated deepfakes of company executives in fake Zoom meetings to deliver malware that included keyloggers and cryptocurrency wallet stealers.

A North Korea-linked cybercriminal group called BlueNoroff, part of the Lazarus Group, conducted a sophisticated cyber attack targeting a Web3 industry employee. The attack began with a Telegram message requesting a meeting and a legitimate-appearing Calendly invite that redirected to a malicious Zoom lookalike site. Weeks later, the employee joined a fake Zoom meeting populated by AI-generated deepfakes of their own company executives. When the victim reported audio issues, attackers shared a malicious 'Zoom extension' via Telegram that was actually an AppleScript triggering a stealth malware chain. The script downloaded additional payloads from fake Zoom domains, including a backdoor disguised as a support tool. Security researchers found eight unique malware components on the infected Mac, including a keylogger that captured clipboard and screen data, and CryptoBot which hunted for and exfiltrated cryptocurrency wallet data. All traffic was routed through command and control infrastructure mimicking Zoom domains. BlueNoroff is known for financially motivated attacks and has been responsible for previous major breaches including the Axie Infinity hack in 2022 and the Bybit breach in 2025.

Domain classification, causal taxonomy, severity scores, and national security assessments were LLM-classified and may contain errors.

Risk Domain

4Malicious Actors & Misuse

4.3Fraud, scams, and targeted manipulation

Using AI systems to gain a personal advantage over others such as through cheating, fraud, scams, blackmail or targeted manipulation of beliefs or behavior. Examples include AI-facilitated plagiarism for research or education, impersonating a trusted or fake individual for illegitimate financial benefit, or creating humiliating or sexual imagery.

Causal Classification

Entity

Human

Due to a decision or action made by humans

Intent

Intentional

Due to an expected outcome from pursuing a goal

Timing

Post-deployment

Occurring after the AI model has been trained and deployed

Harm Severity Assessment

Highest Score:1 — Negligible

National Security Assessment

Overall Score(2/5)

Stakeholders

Developers: Unknown Voice Cloning Technology Developer, Unknown Deepfake Technology Developer
Deployers: North Korea, Lazarus Group, Bluenoroff
Harmed Parties: Zoom, Web3, Unnamed Web3 Employee, Macos Users, Cryptocurrency Infrastructure

AI System Classification

Primary Purpose: Deepfake Video Generation
EU AI Act Risk Level: 3 Limited Risk
Occurrences: 1

Population Impact

Reportedly Harmed: 1
Reportedly Exposed: 1

External Links

View on AI Incident Database