Description: An alleged phishing scheme involving actors linked to North Korea used purported AI-generated deepfake videos of company executives to deceive a Web3 employee during a fake Zoom call. The target was reportedly tricked into installing macOS malware disguised as a "Zoom extension," leading to the deployment of spyware, a keylogger, and a crypto wallet stealer. The attackers reportedly used Telegram and spoofed Zoom domains to orchestrate the breach.
Editor Notes: See also Incident 644: Alleged State-Sponsored Hackers Escalate Purported Phishing Attacks Using Artificial Intelligence.
Entities
View all entitiesAlleged: Unknown voice cloning technology developer and Unknown deepfake technology developer developed an AI system deployed by North Korea , Lazarus Group and BlueNoroff, which harmed Zoom , Web3 , Unnamed Web3 employee , macOS users and Cryptocurrency infrastructure.
Alleged implicated AI systems: Zoom , Unknown voice cloning technology , Unknown deepfake technology , Telegram , macOS and Cryptocurrency wallets
Incident Stats
Incident ID
1117
Report Count
1
Incident Date
2025-06-22
Editors
Daniel Atherton
Incident Reports
Reports Timeline
A new cyber attack campaign by North Korea-linked group BlueNoroff has come to light, targeting a Web3 industry employee through deepfake Zoom calls and macOS malware. Security researchers say the incident reflects growing sophistication in…
Variants
A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.
Seen something similar?
