"The victim becomes a future 'meeting participant' in attacks targeting other people in their own professional network." Arctic Wolf used that sentence to describe a deceptive cycle of fraud that, according to its Monday report, is being run by North Korean-linked hackers who harvest video and audio from fake meetings to make later scams more convincing.
How the fake meeting scam is built and executed
Arctic Wolf lays out a multi-stage social‑engineering ploy that begins with a seemingly ordinary Calendly invite for a "catch-up" meeting — often set months in the future and ostensibly from a well-known figure in the cryptocurrency field. If a target accepts, the attackers later swap the original Google Meet link for a typosquatted Zoom or Teams URL that mirrors legitimate links "including meeting ID and password parameter," the researchers said.
When a victim clicks the link, they are taken to a self-contained JavaScript page that reproduces a perfect replica of Zoom or Teams. After clicking "Join," the fake app requests access to video and audio. The room appears populated with other participants — video tiles, motion, and an "active speaker" indicator cycling every three to five seconds — but Arctic Wolf warns that "none of this is live."
Those on-screen participants are replayed media: "pre‑staged media assets, loaded by the HTML page at runtime: either stolen footage of real people, artificial intelligence‑generated still images or deepfake composite video," Arctic Wolf said. Attackers then trigger a follow-up ruse about audio not working to prompt a ClickFix‑style flow in which an "SDK Update" script is pushed and a second‑stage malware downloader is executed.
Attribution to BlueNoroff and links to DPRK intelligence
Arctic Wolf attributes the campaign with "high confidence" to BlueNoroff, a financially motivated subgroup of the broader Lazarus team. The report ties BlueNoroff to names used elsewhere in the security community — APT38, Stardust Chollima and Nickel Gladstone — and links the activity to the Democratic People's Republic of Korea's military intelligence, naming the Reconnaissance General Bureau.
The report connects the campaign to a larger pattern: BlueNoroff has been active since at least 2014 and was previously implicated in the attempted SWIFT heist targeting Bangladesh Bank in 2016, an operation that sought nearly $1 billion and succeeded in stealing $81 million.
Scale: targets, domains and a seized infrastructure snapshot
Arctic Wolf says it probed a targeted attack against an unnamed Web3 or cryptocurrency figure in North America that led to a network intrusion on Jan. 23. By gaining access to the attackers' infrastructure, researchers discovered 100 additional targets of the group: 41 in the United States, 11 in Singapore and 7 in the United Kingdom. Of those 100 targets, the firm reported that 80% operate in the cryptocurrency space and 45% are CEOs or founders.
Researchers also identified more than 80 typosquatted domains designed to look like real Zoom or Teams links; those domains were "registered from late in 2025 through last month," Arctic Wolf said.
Malware variants and previous teardowns
BlueNoroff's toolkit is not limited to deception. Huntress, in a June 2025 teardown of an earlier version of this campaign that targeted macOS users, reported that up to eight different malicious binaries could be installed on a victim's system. Those included keyloggers, backdoors and crypto stealers — a collection of tools that can both monitor victims and siphon funds.
What this means for technologists, policymakers, and crypto firms
- Technologists and security teams: expect sophisticated social engineering combined with polished UI replicas and pre‑staged media. Arctic Wolf's description points to attacks that do not rely solely on code exploits but on convincing audiovisual deception plus staged prompts to install an "SDK Update" that fetches next‑stage malware.
- Policymakers and regulators: the report underscores a financially motivated state‑linked campaign whose activity Arctic Wolf ties to BlueNoroff and whose broader context includes mass cryptocurrency thefts. Chainalysis reported that "North Korea stole $2 billion in cryptocurrency last year, a 51% increase from 2024, bringing its total crypto haul to $6.75 billion," framing the operations as a strategic funding stream.
- Crypto firms and decentralized projects: the campaign sits beside other high‑value assaults on off‑chain infrastructure. Chainalysis and LayerZero describe a recent heist involving 116,500 Liquid Restaking tokens worth about $290 million from KelpDAO's LayerZero bridge; Chainalysis called that theft "not a smart contract hack, but a sophisticated attack on off‑chain infrastructure," while LayerZero linked it to a Lazarus subgroup tracked as TraderTraitor and blamed KelpDAO's use of a sole decentralized verifier network.
Arctic Wolf's central warning is simple and stark: every successful victim provides fresh, authentic material that makes the next fake meeting more believable. The campaign combines careful reconnaissance, polished UI mimicry, media theft or deepfakes, and multi‑stage malware delivery — and the evidence the researchers recovered shows the operators are continuously refining the technique. For defenders, that means the line between a benign video call and an attack is no longer obvious; for investigators, the trails point to an organized, well‑resourced group whose financial appetite remains large.
Read the original Arctic Wolf report at: https://www.govinfosecurity.com/crypto-targeting-north-koreans-wield-fake-zoom-meetings-a-31516
