'The attacker completed in under five minutes': Experts warn of North Korea-linked campaign using fake Zoom meetings to target crypto execs

A highly sophisticated scam will leave you questioning what's real

by · TechRadar

News By Sead Fadilpašić published 28 April 2026

(Image credit: Shutterstock)

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

  • State-sponsored attackers crafted convincing fake video calls to target cryptocurrency firms
  • A clipboard hijack trick replaced benign commands with malware‑deploying code
  • The operation enabled rapid credential theft, persistence, and full system compromise

Security researchers Arctic Wolf have revealed details of a highly sophisticated campaign targeting North American Web3 and cryptocurrency companies.

It is conducted by state-sponsored threat actors called BlueNoroff, a financially motivated subgroup of the dreaded North Korean Lazarus Group, with a goal of establishing persistent access on their target’s devices.

They do so by tricking the victim into installing malware on the computers themselves, but the way they do it is quite advanced.

Article continues below

ClicFix has entered the chat

While preparing for the attack, the threat actors would use real, high-value people from the Web3 world, generate convincing headshots using ChatGPT, and create semi-animated videos using Adobe Premiere Pro 2021.

They would then create a fake Zoom video call website identical to the actual Zoom call page, and would display the video to make it look even more convincing.

BlueNoroff would then invite the actual victim through Calendly, almost half a year into the future (most likely to make it look more convincing - important people are, after all, super busy).

When the victim clicks on the Zoom link, they see what they’re used to seeing - a video call page with the person on the other side moving and acting as if they were real. However, eight seconds into the call, a message would pop up across the screen, saying their “SDK is deprecated” and presenting them with an “Update Now” button.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors