More than 100 cryptocurrency organizations across more than 20 countries were targeted in a single, large-scale spear‑phishing campaign that combined typosquatted meeting links, fake calendar invites, clipboard‑injection malware and AI‑generated deepfakes, Arctic Wolf Labs reported on April 27.
How the attack unfolded: Calendly, typosquat Zoom links, and rapid compromise
Arctic Wolf Labs first detected intrusion activity at a North American cryptocurrency company beginning on January 23, 2026. The firm’s internal telemetry showed the initial vector was a manipulated Calendly calendar invite containing a typosquatted Zoom meeting link. When the victim clicked, they were presented with a fake Zoom meeting interface that simultaneously exfiltrated their live camera feed and triggered further malicious actions.
The researchers wrote that “A multi‑stage credential extraction pipeline then plundered info from the victim’s device and browsers, focusing on cryptocurrency wallet extensions.” According to Arctic Wolf, the execution chain moved from click to full system compromise in under five minutes, and the threat actor maintained access to the targeted systems for 66 days. Arctic Wolf also noted the initial attack commenced approximately five months after first contact with the primary victim.
Deepfakes, ClickFix‑style clipboard injection and the exfiltration toolset
Arctic Wolf’s analysis identified a suite of techniques used in parallel. The fake meeting interface covertly streamed victim webcams so attackers could merge that footage with AI‑generated images; the researchers described the attacker’s media server as hosting over 950 files and running “a self‑sustaining deepfake pipeline.”
At the same time, the attackers deployed a ClickFix‑style clipboard injection attack designed to replace cryptocurrency addresses copied into a user’s clipboard, an especially dangerous move given the campaign’s focus on wallet extensions. The team also observed a PowerShell‑based command‑and‑control implant, an AES‑encrypted browser injection payload, and a Telegram Bot API screenshot exfiltration mechanism.
Scope, victims, and supporting infrastructure
When Arctic Wolf Labs traced the attacker infrastructure, they identified 100 additional targets whose compromised media was hosted on that infrastructure. Victims were distributed across more than 20 countries and five regions, with the highest concentration in the US (41%), followed by Singapore (11%) and the UK (7%).
Approximately 80% of the targets worked in crypto, blockchain finance or adjacent sectors, and 45% of identified targets held roles as CEOs or founders. Researchers also catalogued over 80 typosquatted Zoom and Microsoft Teams domains registered between late 2025 and March 2026 on the same infrastructure.
Attribution to BlueNoroff and prior operations tied to Lazarus
Arctic Wolf Labs attributed the campaign “with high confidence” to BlueNoroff, a subgroup it links to the North Korean‑linked Lazarus Group. The report notes BlueNoroff has been active since at least 2014 and focuses on revenue generation through theft of cryptocurrency and financial assets, running a long‑standing operation called SnatchCrypto since at least 2017.
Arctic Wolf reported that parts of the tooling and infrastructure matched a fake‑conference campaign previously attributed to BlueNoroff by Kaspersky and Huntress. A January 2026 Picus Security report was cited describing BlueNoroff as “the financial cybercrime arm of Lazarus,” and the source material links Lazarus to North Korea’s Reconnaissance General Bureau (RGB). Arctic Wolf also recalled BlueNoroff’s earlier notoriety in the 2016 Bangladesh Bank SWIFT operation, which attempted to steal $951m and successfully transferred $81m.
What this means for security teams, crypto CEOs, and regulators
- Security teams: Expect multi‑stage social engineering mixes—calendar invites, typosquats, live‑video lures, and clipboard‑replacement payloads—and prepare telemetry to correlate calendar clicks with rapid follow‑on activity and C2 signals such as PowerShell implants and Telegram exfiltration behavior.
- Crypto CEOs and founders: The attackers deliberately targeted senior executives—45% of observed targets were CEOs or founders—meaning executive communications and meeting practices should be a focal point of defensive controls and user awareness.
- Regulators and incident responders: The campaign’s cross‑border scope—over 20 countries and a heavy US concentration—plus the use of deepfakes and encrypted browser payloads underscores the need for multi‑jurisdictional information sharing and forensic preservation of media files hosted by attacker infrastructure.
Arctic Wolf’s report paints a campaign that blends old‑fashioned social engineering with modern AI and encrypted tooling: typosquatted meeting invites to open the door, live webcam capture and AI synthesis to make future lures more convincing, and fast‑moving credential and wallet extraction to monetize access. The record includes clear timestamps (first detection January 23, 2026), infrastructure artifacts (domains registered late 2025–March 2026), and a catalog of payloads—details that will shape investigations and defenses as affected firms and authorities follow the trail.
