North Korean hackers use AI deepfake videos to infiltrate the crypto industry: Clipboard content becomes a new target for espionage

The cryptocurrency industry is facing a new wave of threats from the north. Through AI-generated video calls, hackers impersonating familiar contacts are launching increasingly sophisticated social engineering attacks against crypto professionals. These attackers can not only forge visual identities but also deploy advanced malware on victims’ devices, automatically reading clipboard contents after opening them to steal wallet keys and confidential data. ## AI Video Calls: A New Form of Phishing for Identity Impersonation According to security research firm Huntress, these types of attacks are typically initiated through compromised Telegram accounts. Attackers utilize AI technology to generate realistic video images, impersonating colleagues or trusted industry figures. During video calls, they use various excuses (such as Zoom audio issues needing repair) to trick users into installing seemingly harmless “plugins.” In reality, this software is a carefully disguised malicious program. ## Multi-layer Infection: From Backdoors to Clipboard Leaks Once users are tricked into installing these malicious programs, attackers can carry out multi-level intrusions on target macOS devices. First, they deploy backdoor programs to ensure long-term remote access. Then, malicious scripts begin to monitor keystrokes, recording every key pressed—whether it’s exchange passwords or private keys, nothing escapes tracking. Even more dangerous, these programs can monitor and intercept clipboard contents in real time. When users copy sensitive information, attackers automatically capture it. This means any paste operation—such as transfer addresses, key fragments, or transaction instructions—could be intercepted. Attackers not only steal static data but can also obtain the latest sensitive information at critical moments of user operation, directly accessing assets in crypto wallets. ## Lazarus Group’s State-Level Operations Security firm SlowMist’s cybersecurity lead confirms that these carefully orchestrated attacks originate from Lazarus Group (also known as BlueNoroff), a North Korea-backed advanced hacking organization. This group has previously conducted large-scale attacks targeting crypto developers and exchanges. The current activity exhibits clear reuse of techniques—similar methods are used across multiple targets, especially focusing on specific wallets and key figures in the crypto industry. Huntress’s analysis indicates that these attack operations are highly similar in technical characteristics to the group’s past activities, suggesting an organized, ongoing campaign rather than isolated incidents. ## The Dilemma of Identity Verification and Defense Strategies As AI face-swapping and voice cloning technologies become more advanced, verifying identity through visual and audio cues is becoming increasingly unreliable. Users can no longer rely solely on what they see and hear to confirm someone’s identity. To counter these threats, crypto industry professionals need to adopt multi-layered defense strategies. First, strengthen multi-factor authentication—do not rely on a single method. Second, remain cautious of video calls from strangers, especially requests involving software installation. Third, regularly update systems and applications, and disable unnecessary permissions. Most importantly, recognize that even video calls appearing to come from familiar contacts could be carefully forged; any requests involving system-level permissions or sensitive operations should be verified through independent channels.