Armed with fake Zoom calls, stolen identities, and malware, North Korea’s Lazarus Group has allegedly expanded its crypto infiltration strategy, and the industry is starting to feel it.
Kenny Li, co-founder of Ethereum layer-2 project Manta Network, said he was “targeted” in an elaborate Zoom phishing attempt by Lazarus Group in a tweet Thursday.
A known contact of Li arranged a Zoom call where familiar faces appeared on camera, only no one spoke. Then a prompt appeared urging Li to download a script to fix his audio.
“I could see their legit faces. Everything looked very real,” he wrote on Thursday. “But I couldn’t hear them… it asked me to download a script file. I immediately left.”
To verify the contact, Li asked to continue the conversation on Google Meet instead. The impersonator refused, and moments later, all messages were erased, and Li was blocked.
“Lazarus social engineering is getting pretty good,” he added in a follow-up tweet, adding that the phishing attempt could have used either deepfakes or “recordings from previous calls where they infected/hacked the other people.”
Li noted that he was “not certain” the phishing attempt was the work of Lazarus Group, but that according to security researchers, it matched the hacking group’s MO. Decrypt has reached out to Li, and will update this story should he respond.
North Korea’s phishing and hacking campaign
The incident is one of several recent attacks attributed to Lazarus, the North Korean state-backed hacking unit responsible for some of the largest crypto heists in history.
The group, already linked to February’s $1.4 billion Bybit hack, is reportedly changing its strategy by blending deepfake video, malware, and social engineering to deceive even experienced crypto executives.
According to new research from Paradigm security researcher Samczsun and Google’s Threat Intelligence Group (GTIG), Lazarus is just one arm of the DPRK’s sprawling cyber apparatus.
The regime now deploys a web of hacker subgroups like AppleJeus, APT38, and TraderTraitor, using tactics that range from fake job offers and Zoom calls to malware-laced npm packages and extortion.
Nick Bax of the Security Alliance (SEAL), a collective of white hat hackers and security researchers, issued a warning in March, “Having audio issues on your Zoom call? That’s not a VC, it’s North Korean hackers.”
He described the playbook in which chat messages cite audio issues, familiar faces appear on video, and the victim is redirected to download malware. “They exploit human psychology,” he wrote. “Once you install the patch, you’re rekt.”
Giulio Xiloyannis, co-founder of the Web3 platform for on-chain games and IPs MON Protocol, shared a similar experience. A hacker impersonating a project lead asked him to switch to a Zoom link mid-call.
“The moment I saw a Gumicryptos partner speaking and a Superstate one, I realized something was off,” he tweeted, sharing screenshots to warn others.
According to a recent GTIG report, North Korean IT workers are now infiltrating teams across the U.S., UK, Germany, and Serbia, masquerading as developers, using fake resumes and forged documents.
“DPRK hackers are an ever-growing threat against our industry,” Samczsun wrote, urging firms to adopt basic defenses, least privilege access, 2FA, device segregation, and to contact groups like SEAL 911 in the event of a breach.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
