Fake CEOs on Zoom: How North Korea's Deepfake Campaigns Are Draining Crypto Wallets
A Polygon co-founder discovers strangers asking if he is really on a Zoom call with them. A BTC Prague organizer watches a convincing AI-generated replica of a well-known crypto CEO appear on screen, only to be asked to run a "quick audio fix." An AI startup founder avoids infection by insisting on Google Meet — and the attackers vanish. These are not scenes from a cyberpunk thriller. They happened in early 2026, and they share a common thread: North Korea's rapidly evolving deepfake social engineering machine.
From Protocol Exploits to Human Exploits
For years, the crypto industry's worst nightmares came in the form of smart contract bugs and bridge vulnerabilities. North Korea's Lazarus Group — and its sub-clusters like UNC1069 — obliged, pulling off headline-grabbing heists such as the $620 million Ronin Network exploit in 2022 and the $1.5 billion Bybit exchange breach in February 2025. But while the industry has been pouring resources into code audits, formal verification, and bug bounties, Pyongyang has quietly pivoted.
The shift became unmistakable in late 2025. According to Chainalysis, North Korean-linked actors stole $2.02 billion in digital assets across 2025 — a 51% year-over-year increase from the $1.34 billion taken in 2024. DPRK operations now account for roughly 76% of all crypto service compromises globally, pushing the cumulative lower-bound estimate for North Korean crypto theft past $6.75 billion.
But the real story is not just the dollar figure — it is the method. Social engineering, powered by AI-generated deepfakes, has become the primary attack vector, outpacing smart contract exploits for the first time.
Inside the Deepfake Zoom Playbook
Google Cloud's Mandiant division published a detailed report in February 2026 attributing a wave of deepfake video-call attacks to UNC1069, a financially motivated threat group with high-confidence links to North Korea. Tracked since 2018, UNC1069 pivoted from spear-phishing and traditional finance targeting to the Web3 industry starting in 2023.
The attack playbook follows a disturbingly effective pattern:
-
Step 1 — Compromise a trusted identity. Attackers gain access to a cryptocurrency executive's Telegram account or LinkedIn profile. In one documented case, they hijacked the account of a known crypto CEO and used it to contact secondary targets.
-
Step 2 — Schedule a meeting. The victim receives what appears to be a legitimate meeting invitation, often through Calendly, for a 30-minute video call. The link, however, redirects to a convincing Zoom look-alike domain.
-
Step 3 — Deploy the deepfake. When the victim joins, they see an AI-generated video feed of a familiar industry figure — a VC partner, a fellow founder, or a portfolio company CEO. The deepfake is convincing enough to survive a brief visual check.
-
Step 4 — Trigger the ClickFix infection. Feigning audio problems, the attacker asks the victim to run a "quick fix" — typically a terminal command on macOS or a PowerShell script on Windows. This is the ClickFix technique: a social engineering method that tricks victims into infecting their own machines, bypassing traditional security controls entirely.
The ClickFix Weapon: Seven Malware Families and Counting
ClickFix has become one of the most effective malware delivery techniques in 2026 precisely because it exploits trust rather than technology. The victim willingly executes the malicious command, believing they are resolving a mundane technical glitch.
Mandiant's investigation revealed that UNC1069 deploys at least seven unique malware families through this vector, including previously undocumented tools:
- SILENCELIFT — a host reconnaissance tool that captures system data and cryptocurrency wallet configurations
- DEEPBREATH — a persistence module designed to survive reboots and maintain backdoor access
- CHROMEPUSH — a browser-targeting payload that extracts saved credentials and crypto extension data from over 25 browsers
- BIGMACHO — a macOS-specific backdoor deployed via deepfake video lures
These tools target 103 Chrome crypto extensions, including MetaMask, Exodus, and Trust Wallet. The campaign's macOS focus is deliberate — cryptocurrency founders and developers disproportionately use Apple hardware, and nearly every macOS stealer in circulation prioritizes crypto wallet theft above all other objectives.
Real Founders, Real Close Calls
The human stories behind these attacks illustrate both the sophistication and the vulnerability.
Sandeep Nailwal, Polygon co-founder, raised the alarm publicly when multiple contacts messaged him on Telegram asking whether he was currently on a Zoom call with them. Attackers had used a deepfake of Nailwal to conduct simultaneous fake meetings with several targets, leveraging his reputation as a well-known industry figure.
Martin Kuchař, BTC Prague co-founder, was targeted through a compromised Telegram account and a staged video call designed to push malware disguised as a Zoom audio fix. The sophistication of the setup — from the legitimate-looking calendar invitation to the real-time deepfake video — underscored how far these campaigns have evolved beyond basic phishing emails.
Eugene Vyborov, Ability AI CEO, provided a textbook example of how to survive an attempt. When the attackers redirected him to a fake Zoom "help" page with terminal commands to execute, he stopped engaging and insisted on switching to Google Meet. The attackers refused, citing "company policy," then promptly deleted the entire Telegram conversation — a telltale sign of the operation's scripted nature.
AI as Both Sword and Shield
What makes this new generation of attacks particularly alarming is the attackers' own use of AI tools. According to Google's threat intelligence research, UNC1069 has been observed using Google's Gemini AI to develop tooling, conduct operational research on potential victims, and generate the deepfake images and video used in their campaigns.
This creates an asymmetric arms race. The cost of producing a convincing deepfake has plummeted, while the cost of verifying identity in real-time remains high. A Bitget research report found that AI-driven impersonation scams contributed to a $4.6 billion surge in crypto fraud in 2025, and the trajectory for 2026 shows no signs of slowing.
The implications extend beyond individual targets. When attackers can convincingly impersonate VCs, founders, and executives, the trust fabric that underpins dealmaking, governance votes, and partnership negotiations begins to fray. A single successful deepfake call can compromise not just one wallet but an entire organization's treasury access.
Defending Against the Deepfake Threat
The crypto industry's response is still maturing, but several defensive patterns are emerging:
Verify through a second channel. The single most effective defense demonstrated in 2026 incidents is out-of-band verification. Before executing any action requested during a video call, confirm the participant's identity through a separate communication channel — a phone call, a Signal message, or even a pre-shared code word.
Refuse platform-specific demands. Eugene Vyborov's insistence on Google Meet was effective precisely because the attackers' infrastructure was purpose-built for fake Zoom. Any insistence on a specific platform, especially combined with excuses about "company policy," should be treated as a red flag.
Never execute terminal commands from a call. No legitimate business meeting requires participants to run shell commands or install software. This applies regardless of who appears on screen. Organizations should establish explicit policies: video call participants never request command execution.
Adopt hardware-based transaction signing. Hardware wallets that require physical confirmation for transactions remain immune to deepfake-driven software compromises. Multi-signature setups add additional layers that social engineering alone cannot bypass.
Implement Know Your Agent (KYA) verification. As AI agents increasingly participate in crypto operations, verifying the identity and authorization of both human and automated participants becomes critical. Emerging KYA standards aim to provide cryptographic proof of participant identity before high-value actions.
What Comes Next
North Korea's crypto theft operation is not a fringe criminal enterprise — it is a state-sponsored program that generates billions in revenue annually, funding weapons programs and circumventing international sanctions. The pivot from protocol exploits to deepfake social engineering represents a strategic calculation: as smart contract security improves, humans remain the softest target.
The 2026 deepfake campaigns reveal a threat actor that adapts faster than many defenders. UNC1069's tooling is actively developed with AI assistance, its malware arsenal keeps expanding, and its social engineering scripts are refined with each failed attempt. The ClickFix variants — FileFix, JackFix, ConsentFix, CrashFix, GlitchFix — proliferating across the ecosystem suggest that the technique's effectiveness has attracted imitators beyond North Korean state actors.
For the crypto industry, the lesson is clear: the next billion-dollar hack may not exploit a line of Solidity. It may start with a friendly face on Zoom asking you to fix your audio.
Building secure blockchain infrastructure starts with reliable, enterprise-grade node services and APIs. BlockEden.xyz provides high-availability RPC endpoints across major chains — so developers can focus on building resilient applications without worrying about infrastructure vulnerabilities.