- North Korea‘s Lazarus Group is escalating its crypto phishing tactics using fake Zoom calls, deepfakes, and Malware.
- Kenny Li, co-founder of Manta Network, recently experienced an elaborate Zoom phishing attempt attributed to the Lazarus Group.
- Security experts warn that North Korean Hackers have expanded their operations with multiple subgroups, targeting crypto executives worldwide.
Kenny Li, co-founder of Ethereum layer-2 project Manta Network, reported being targeted in a sophisticated Zoom phishing attempt allegedly orchestrated by North Korea‘s Lazarus Group. In a Twitter post on Thursday, Li described how attackers arranged a call where familiar faces appeared on camera but didn’t speak, followed by prompts to download malicious software to supposedly fix audio issues.
"I could see their legit faces. Everything looked very real," Li wrote, explaining that when he couldn’t hear anyone speaking, the fake Zoom interface prompted him to "download a script file" which he refused to do. When Li suggested switching to Google Meet to verify authenticity, the impersonator refused, deleted all messages, and blocked him.
While Li noted he wasn’t "certain" the attempt was specifically from Lazarus, security researchers confirmed the tactics matched the group’s known methods. Li suggested the attackers likely used either deepfakes or "recordings from previous calls where they infected/hacked the other people" to create the convincing video presence.
Evolving Tactics in North Korean Cyber Operations
This incident represents just one example of Lazarus Group’s expanding arsenal of crypto-focused attacks. Already implicated in February’s $1.4 billion Bybit hack, the North Korean state-backed unit has evolved its approach by combining deepfake technology, malware distribution, and sophisticated social engineering.
Research from Paradigm security researcher Samczsun and Google’s Threat Intelligence Group (GTIG) reveals that Lazarus is merely one component of North Korea’s comprehensive cyber operations. The regime now deploys multiple specialized Hacking subgroups including AppleJeus, APT38, and TraderTraitor.
Industry-Wide Warning Signs
Nick Bax of the Security Alliance (SEAL) issued a warning in March about this specific attack vector: "Having audio issues on your Zoom call? That’s not a VC, it’s North Korean hackers." He described the identical playbook where victims see familiar faces, experience audio problems, and are directed to download malicious "fixes."
Similarly, Giulio Xiloyannis, co-founder of MON Protocol, shared his own encounter with the scheme. During what appeared to be a legitimate call, impersonators asked him to switch to a suspicious Zoom link. He became suspicious when he noticed faces from unrelated companies appearing on the call.
According to GTIG’s recent report, North Korean IT operatives are now infiltrating tech teams across the US, UK, Germany, and Serbia, using falsified credentials to gain insider access to cryptocurrency organizations. Security experts recommend basic defenses like two-factor authentication, device segregation, and contacting specialized security groups like SEAL 911 if a breach is suspected.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- HashKey Capital Launches Asia’s First XRP Tracker Fund with Ripple
- Altcoins Set for Q2 2025 Resurgence as Regulations Improve: Sygnum
- Cardano’s PoS Revolution: Greener Blockchain Without Compromising Security
- Zoom phishing attack targets Manta Network co-founder with fake videos
- Cardano Nears 2,000 Projects with Over 108 Million On-Chain Transactions
