ACCORDING to Arctic Wolf, a team of hackers associated to the North Korean-linked Lazarus Group conducted a large-scale cyber theft campaign targeting over 100 cryptocurrency organisations across more than 20 countries. The spear-phishing campaign used multiple social engineering techniques, including typosquatted Zoom and Microsoft Teams meeting links, fake Calendly invites and ClickFix-style clipboard injection attacks.
Victims were lured via a fake Zoom meeting interface that covertly exfiltrated live camera feeds to fuel future attacks, while a multi-stage credential-extraction pipeline plundered information from devices and browsers focusing on cryptocurrency wallet extensions. Arctic Wolf’s analysis attributes the operation, with high confidence, to BlueNoroff, a Lazarus subgroup known under several aliases.
The campaign spanned more than 20 countries, with the United States accounting for 41% of victims, followed by Singapore and the UK, and attackers maintained access for 66 days. The group’s infrastructure also supported a self‑sustaining deepfake pipeline, combining exfiltrated webcam footage with AI-generated images to create fake meeting content.