A coordinated phishing and malware campaign has resurfaced across the crypto industry, with attackers using deepfake video calls and compromised Telegram accounts to trick professionals into installing malicious software on their own devices.

The campaign was publicly disclosed by BTC Prague co-founder Martin Kuchař, who said his Telegram account was compromised and later reused to target others in the same manner.

“A high-level hacking campaign is currently targeting Bitcoin and crypto users. I have been personally affected via a compromised Telegram account,” Kuchař wrote on X.

Security researchers and industry experts have linked the operation to North Korea-aligned threat actors, a group that has targeted crypto developers, exchange staff, and executives for several years.

How the attack unfolds during live video calls

According to Kuchař, the attack begins with a message from a known contact whose Telegram account has already been taken over. The attacker then proposes a Zoom or Microsoft Teams call.

Once the call starts, the attacker appears on video using an AI-generated deepfake that resembles the original account owner. The attacker stays muted and claims audio issues, then instructs the victim to install a plugin or file that supposedly resolves the problem.

In reality, the file delivers malware that grants full system access. Victims lose control of their devices, Bitcoin holdings, and Telegram accounts. Attackers then reuse the newly compromised accounts to contact the next targets.

“This silence acts as the hook,” Kuchař warned, urging users not to join unverified Zoom or Teams calls.

Malware enables full device takeover and wallet theft

Security researchers at cybersecurity firm Huntress have observed nearly identical techniques in past campaigns. In reports published last year, Huntress documented staged Zoom calls that delivered malicious AppleScript payloads disguised as audio fixes.

Once executed, the malware disables shell history, checks for or installs Rosetta 2 on Apple Silicon devices, and repeatedly prompts users for system passwords to gain elevated privileges. The infection chain installs multiple payloads, including persistent backdoors, keyloggers, clipboard monitors, and crypto wallet stealers.

Kuchař said the same sequence followed his own account compromise, after which attackers contacted people from his Telegram address book.

“As soon as access is gained, attackers are able to view all Telegram contacts and reuse the compromised account to reach out to the next victim,” he wrote.

North Korea-linked actors tied to repeated crypto theft campaigns

Huntress has attributed similar intrusions with high confidence to a North Korea-linked advanced persistent threat tracked as TA444, also known as BlueNoroff, which operates under the broader Lazarus Group umbrella.

North Korea-linked hackers have stolen more than $300 million through related techniques, according to warnings from MetaMask security researcher Taylor Monahan last month. Monahan said attackers often study prior chat histories to build trust before launching the attack.

The most common targets include crypto developers, exchange employees, and senior executives. In one documented case from September last year, a targeted attack against a THORchain executive resulted in losses of approximately $1.3 million after a MetaMask wallet drain occurred without system prompts or administrator approval.

Experts warn images and video no longer prove authenticity

Industry security leaders say the use of deepfake video removes one of the last trust anchors in remote communication.

“No single indicator is decisive on its own; it’s the combination that matters,” said Shān Zhang, chief information security officer at blockchain security firm Slowmist.

Zhang said deepfake-enabled lures often rely on disposable meeting accounts, look-alike Zoom or Teams links, and scripted conversations that push victims to install software early in the call.

“There is clear reuse across campaigns. We consistently see targeting of specific wallets and the use of very similar install scripts,” David Liberman, co-creator of decentralized AI compute network Gonka, said in the statement.

Liberman warned that visual media can no longer function as proof of identity.

“Images and videos can no longer be treated as reliable proof of authenticity,” he said, adding that digital content should require cryptographic signatures and multi-factor authorization.

Immediate security guidance for crypto workers

Kuchař urged crypto professionals to treat all Telegram messages as untrusted, even those from known contacts.

“Inform your colleagues and network immediately. Do not join any unverified Zoom/Teams calls,” he wrote.

He advised the use of secure alternatives such as Signal or Jitsi for private calls, while recommending Google Meet for browser-based meetings due to stronger sandboxing controls.

The attacks reflect a broader shift in cybercrime tactics, where social engineering and artificial intelligence converge. For crypto professionals, the campaign serves as another reminder that familiarity and visual confirmation no longer guarantee safety.

Bitcoin Dips Below $87K as Liquidity Strains Hit Crypto Markets | HODL FM NEWS
The price of bitcoin dropped toward $87,000 as macro risk increased and liquidity decreased, exposing execution challenges across spot, ETFs, and futures positions.
hodl-post-imageHODL FM News: The Wildest Ride in the Crypto MarketTanya Petrusenko
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require adviceHODL FM strongly recommends contacting a qualified industry professional.