Skip to content
Tech News
← Back to articles

BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures

2026-04-28 | original
read original get Zoom Security Camera → more articles
Why This Matters

BlueNoroff's sophisticated campaign leveraging AI-generated avatars and stolen footage to create convincing fake Zoom calls highlights the growing threat of targeted cyberattacks in the cryptocurrency sector. This method not only increases the likelihood of successful malware deployment but also underscores the importance of heightened security awareness among high-profile industry professionals. As cybercriminals adopt more advanced tactics, both organizations and consumers must remain vigilant to protect sensitive assets and personal information.

Key Takeaways

North Korea's BlueNoroff state-sponsored hacking group is targeting cryptocurrency executives in an audacious, financially motivated campaign that uses fake Zoom meetings populated with AI-generated avatars and stolen video footage of real people to trick victims into installing malware on their systems.

What makes the campaign particularly insidious, according to a new report from Arctic Wolf, is how the threat actor steals webcam footage from each victim and then uses those videos to populate even more convincing fake Zoom meetings to target new victims.

Insidious Campaign

Arctic Wolf found stolen images and videos of at least 100 individuals — nearly half of them CEOs or co-founders of their organizations — that the threat actor appears to have used as bait in the campaign.

Eight out of 10 of the identified victims operated either in the cryptocurrency/blockchain and associated finance sectors. "This concentration underscores BlueNoroff's singular operational focus: individuals with access to cryptocurrency assets, wallet infrastructure, exchange platforms, or investment decision-making authority," Arctic Labs said in a report this week.

Related:Glasswing Secured the Code. The Rest of Your Stack Is Still on You

One incident that Arctic Wolf investigated involved a senior executive at a US-based Web3 cryptocurrency company. The attack chain began with a BlueNoroff actor posing as the head of legal at an international consulting and law firm in the fintech and crypto sector, sending a Calendly invite to the target. The purported "catch-up" meeting was scheduled late last summer for five months in the future (January 2026). When the victim confirmed the meeting, a Google Meet calendar invite was generated, which the threat actor then covertly modified and replaced with a typo-squatted Zoom URL.

“From the target's perspective, the attack begins as a legitimate business interaction, often through a compromised Telegram account, Calendly invite, or calendar workflow impersonating a trusted contact such as a legal executive, VC partner, or industry peer," says Ismael Valenzuela, VP of labs, threat research and intelligence at Arctic Wolf. "The pretext is a routine meeting."

When the victim in Arctic Wolf's investigation clicked the link this past January, they were directed to a HTML page that convincingly mimicked a Zoom conference lobby, complete with fabricated participant avatars and pre-recorded clips mimicking a live meeting. When the victim granted microphone and camera access to join the fake meeting, the threat actor covertly began siphoning the webcam feed in real time, for use in future attacks.

Related:Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia

... continue reading

Explore topics: bluenoroff zoom cryptocurrency arctic wolf ai-generated
Related:
The FTC says Americans lost at least $2.1 billion to social media scams in 2025
Which tech company invented work-from-home, then killed it?
Study Finds a Third of New Websites Are AI-Generated
Govee Launches Wild, Colorful and Pixel-Dense Ceiling Light Ultra
Deepfake Voice Attacks are Outpacing Defenses: What Security Leaders Should Know

© 2026 GoKawiil

About | Editorial Policy | Contact