Crypto Assets eyecatch upgrade! North Korea's Lazarus uses AI deepfake Zoom to steal hundreds of millions of dollars.

North Korean crypto hackers are perfecting a common crypto assets eyewash. According to a report from digital security company Kaspersky, a branch of North Korea's most feared criminal organization, the Lazarus Group, called BlueNoroff APT, is using two new activities named GhostCall and GhostHire, leveraging artificial intelligence and repetitive video calls to enhance credibility.

North Korea's Lazarus Group Transforms from Job Seekers to Hunters

(Source: X)

North Korean crypto hackers have become a global threat, but their infiltration strategies have undergone significant changes. These criminals previously only sought jobs at Web3 companies, attempting to steal assets or implant backdoors by becoming internal employees. However, recently they have started using fake recruitment messages to spread malware, transforming from job seekers into hunters. Now, their plans are expanding again, and their methods are becoming more difficult to identify.

Lazarus Group is a hacker organization supported by the North Korean government, believed to be the most active and successful crypto assets thief in the world. According to estimates from the United Nations and blockchain analytics firm Chainalysis, the organization has stolen over $3 billion in crypto assets since 2017. These funds are used to finance North Korea's nuclear weapons and missile programs, making it a threat to international security.

In the past, Lazarus's methods were relatively crude. They would send out a large number of phishing emails with infected documents, hoping someone would click on them. Alternatively, they would impersonate job seekers on professional social platforms like LinkedIn, attempting to gain access to the internal operations of Crypto Assets companies. Although these methods were successful at times, the success rate was not high, as many companies had already established corresponding defensive mechanisms.

However, BlueNoroff APT, as a specialized branch of the Lazarus Group targeting financial institutions and Crypto Assets companies, is demonstrating higher professionalism and adaptability. Kaspersky researchers found that the two activities, GhostCall and GhostHire, share the same management infrastructure, indicating that this is a well-coordinated multidimensional attack plan.

GhostCall and GhostHire's Double-Edged Crypto Assets Eyewash

GhostCall and GhostHire represent a new stage in the eyewash of Crypto Assets, both targeting different objectives but employing similar social engineering techniques.

GhostCall: An Eyewash Targeting Web3 High-Level Investors

In GhostCall, these North Korean encryption currency hackers target Web3 executives by disguising themselves as potential investors. They research the background of their targets, the company's situation, and recent activities, and then send highly personalized investment proposals or collaboration invitations. These messages often claim to represent well-known venture capital funds or family offices and express interest in investing millions of dollars.

Once the target responds, the hackers will arrange a video conference, usually claiming to use Zoom or Microsoft Teams. However, they will send a link to an “updated version” or “secure version” of the meeting software, claiming it is to protect business secrets or comply with regulatory requirements. This software is actually a clone version, embedded with malicious code.

GhostHire: Recruitment Traps for Blockchain Engineers

On the other hand, GhostHire attracts blockchain engineers with enticing job opportunities. Hackers impersonate recruiters from well-known crypto assets companies or startups, offering salaries and equity incentives far above market rates. To “test” candidates' skills, they require completing a programming challenge or technical task.

This task usually involves downloading a GitHub repository or a specialized development environment. However, these files contain malware that, once executed, can infect the system. Kaspersky points out that these hackers have begun to focus on the operating systems preferred by Crypto Assets developers, particularly macOS and Linux, and are specifically developing variants of malware.

These two types of Crypto Assets eyewash have a common flaw: victims must actually interact with suspicious software. This undermines the success rate of previous scams, as more and more security-conscious professionals are refusing to download unknown software. However, these North Korean hackers have found a new way to re-exploit the lost opportunities, which is key to the current threat escalation.

AI Deepfake Technology Turns Failure into a New Weapon

The enhanced collaboration between GhostCall and GhostHire allows hackers to improve their social engineering techniques, which is the most dangerous evolution of current crypto assets scams. In addition to AI-generated content, they can also leverage hacked real entrepreneur accounts or real video call clips to make their scams more credible.

The specific operation method is as follows: When a senior executive of a crypto asset cuts off contact with suspicious recruiters or investors, hackers do not simply give up. On the contrary, they record the entire interaction process, including any images from video calls, audio clips, and background environments. Even if this eyewash fails, these materials become weapons to attack the next victim.

Using artificial intelligence, hackers can synthesize new “conversations” that astonishingly mimic human tone, gestures, and surroundings.

Deepfake Video Synthesis: Hackers can use AI tools to synthesize a 30-second real video obtained from a failed eyewash into a 5-minute “investment presentation” or “technical interview”, where the victim's facial expressions and lip movements are perfectly synchronized with the fabricated voice.

Voice Cloning: Even with just a few seconds of voice samples, modern AI tools can generate voice clones that are almost indistinguishable from the real thing. Hackers can make the “victim” “recommend” an investment opportunity or recruitment process in a new eyewash.

Identity Overlap: What makes it more complicated is that hackers combine materials from multiple failed eyewash schemes to create a complete false ecosystem. For example, they might have “Investor A” mention “Founder B” in the video, and both are victims of previous eyewash schemes.

How dangerous this is can be imagined. A founder of a crypto assets project may evade an attack due to high vigilance, only to find that their image is used to deceive other founders or investors weeks later. Worse, this deepfake content may spread on social media or professional networks, damaging the victim's reputation.

Actual Attack Chains and Defense Recommendations

Regardless of who the target is, actual Crypto Assets eyewash attack chains follow a similar pattern:

Stage One: Research and Contact

Hackers research targets on LinkedIn, Twitter, and Crypto Assets forums, collecting personal and professional information, and then send highly personalized initial messages.

Phase Two: Build Trust

Establish a trust relationship through multiple communications and video calls (possibly using deepfake technology) to let the target relax their guard.

Stage Three: Induced Download

Request the target to download specific software or documents for reasonable reasons (testing, compliance, confidentiality).

Stage Four: System Penetration

Once the malicious software is executed, hackers gain system access rights to steal private keys, seed phrases, or directly transfer assets.

Stage Five: Material Collection

Even if the attack fails, hackers will collect all videos, voice, and information from the interaction process for future attacks.

Key Defensive Measures

Strict Identity Verification: Confirm the other party's identity through multiple independent channels, and do not rely solely on a single contact method.

Reject non-standard software: Insist on using officially downloaded tools like Zoom and Teams, and refuse any “special versions”.

Isolated Testing Environment: If code or documents must be tested, use virtual machines or sandbox environments, and never execute on the main system.

Beware of High-Pressure Tactics: Any situation that creates a sense of urgency, demands quick decisions, or claims “this is the only opportunity” should be viewed with high suspicion.

Hardware Wallets and Multi-Signature: Ensure that private keys are stored in hardware wallets, and use multi-signature protection for important assets.

Even if these Crypto Assets eyewash fail, the potential damage is still enormous. Anyone who is approached under unusual or high-pressure circumstances should remain vigilant and never download unfamiliar software or accept inappropriate requests. The ongoing evolution of North Korea's Lazarus Group shows that Crypto Assets security is no longer just a technical issue, but rather a long-term war against nation-state attackers.