AI-generated video calls are being used by hackers to impersonate trusted contacts and deceive crypto workers into installing malware.
Incessant use of live video calls, including AI-generated deepfakes, is noted by security researchers to be a primary tactic of North Korea-linked hackers. These digital deceptions are employed to trick crypto developers and workers into installing malicious software on their own devices.
In the latest instance disclosed by BTC Prague co-founder Martin Kuchar, a compromised Telegram account and a staged video call were used by attackers to push malware. This malicious code, he said, was disguised as a Zoom audio fix.
A “high-level hacking campaign” appears to be targeting Bitcoin and crypto users, as was disclosed by Martin Kuchar, co-founder of BTC Prague, on Thursday via X.
Victims are contacted by attackers to arrange a Zoom or Teams call, as explained by Martin Kuchar. During the meeting, an AI-generated video is used to appear as a familiar acquaintance of the victim.
An audio problem is then claimed by the attackers, followed by a request for the victim to install a specific plugin or file as a solution. Once this installation is complete, full system access is granted to the hackers, which enables the theft of Bitcoin, the hijacking of Telegram accounts, and the subsequent use of those profiles to target new victims.
A record $17 billion in crypto-related losses was reached in 2025 as AI-driven impersonation scams intensified, according to data from Chainalysis. It was reported by the blockchain analytics firm that deepfake video, voice cloning, and synthetic identities are being increasingly used by attackers to deceive victims and obtain unauthorized access to funds.
Related Attacks
The attack sequence detailed by Martin Kuchar closely aligns with a methodology first identified by the cybersecurity firm Huntress. In a report from July 2025, the firm revealed that targeted crypto workers are lured into staged Zoom calls following initial contact on Telegram, often through the use of a fraudulent meeting link hosted on a spoofed Zoom domain.
During the conference call, an audio problem is typically claimed by the attackers, who then instruct the victim to install what appears to be a legitimate Zoom-related fix. This file, however, is identified by Huntress as a malicious AppleScript that initiates a sophisticated, multi-stage macOS infection designed to exfiltrate sensitive data and establish a persistent backdoor.
Once the script is executed, shell history is disabled, and Rosetta 2 is either checked for or installed on Apple Silicon devices. Additionally, as reported by Huntress, the user is repeatedly prompted for their system password to ensure the attackers gain elevated privileges.
The installation of multiple payloads—including persistent backdoors, keylogging and clipboard tools, and crypto wallet stealers—was found by the study to be the result of this malware chain. A similar sequence was pointed to by Martin Kuchar on Monday when it was disclosed that his Telegram account had been compromised and subsequently used to target others in an identical fashion.
North Korea–Linked Group Identified as Primary Suspect
The intrusion has been attributed with high confidence by security researchers at Huntress to TA444, a North Korea-linked advanced persistent threat. Also recognized as BlueNoroff and operating under the Lazarus Group umbrella, this state-sponsored collective has been identified as a primary driver of cryptocurrency theft since at least 2017.
When questioned about the campaign’s strategic objectives and potential links between incidents, Shān Zhang, Chief Information Security Officer at Slowmist, told that the recent attack on Martin Kuchar is “possibly” connected to wider operations by the Lazarus Group.
“No single indicator is decisive on its own; it’s the combination that matters,” Zhang stated. Deepfake-enabled lures are noted to typically rely on new or disposable meeting accounts and look-alike Zoom or Teams links, while the call itself is described as becoming highly scripted quite quickly. Attackers are said to “create urgency and push the target” to install the so-called “Zoom/Teams fix” early in the conversation.
“There is clear reuse across campaigns. We consistently see targeting of specific wallets and the use of very similar install scripts,”
David Liberman, co-creator of decentralized AI compute network Gonka .
Visual media and recordings “can no longer be treated as reliable proof of authenticity,” according to Liberman. It was further asserted by him that digital content “should be cryptographically signed by its creator, and such signatures should require multi-factor authorization.”
Narratives, in contexts such as this, have become “an important signal to track and detect,” given how these attacks “rely on familiar social patterns,” he said.
Campaigns against crypto firms, workers, and developers are frequently tied to North Korea’s Lazarus Group. Digital assets and access credentials are stolen by the group through the use of tailored malware and highly sophisticated social engineering.
