Mandiant, Google Cloud’s security team, warns that North Korean hackers are upgrading social engineering with AI-generated deepfakes used in video meetings targeting the crypto and DeFi ecosystems. Chainalysis reported that DPRK-linked actors stole about $2.02 billion in cryptocurrency in 2025, lifting the total to roughly $6.75 billion. The report notes a strategic shift from mass phishing to highly tailored attacks that exploit trusted digital interactions such as calendar invites and video conferences.
The operation reportedly began with a compromised Telegram account posing as a known cryptocurrency executive. Prospective victims are invited to a fake Zoom call hosted on the attackers’ infrastructure after sharing a Calendly scheduling link. During the call, a deepfake video of a familiar CEO appears, and targets are instructed to run “troubleshooting” commands, triggering a ClickFix malware infection. Investigators found seven distinct malware families on the victim’s system designed to harvest credentials, browser data, and session tokens.
Fraser Edwards, co-founder of cheqd, says the approach leverages trust in routine meetings and impersonation at escalation points. AI is now used to draft messages and mirror colleagues’ communication style, reducing scrutiny before action. Experts warn the risk will rise as AI agents gain capability to act on behalf of users, underscoring the need for systems that signal authenticity by default.
Leave a Reply