BlueNoroff Targets 100+ Crypto Firms with ClickFix and Deepfake Zoom Lures
North Korean threat group BlueNoroff has compromised over 100 cryptocurrency organizations across 20+ countries using typosquatted Zoom domains, AI-generated deepfakes, and ClickFix clipboard injection attacks.
A sophisticated spear-phishing campaign attributed to BlueNoroff, a subgroup of the North Korean Lazarus Group, has compromised over 100 cryptocurrency organizations across more than 20 countries, according to a detailed report from Arctic Wolf Labs published on April 27. The operation, which began with an intrusion at a North American crypto firm on January 23, 2026, employed a multi-stage attack chain that combined typosquatted Zoom and Microsoft Teams domains, fake Calendly invites, and ClickFix-style clipboard injection to deploy a credential extraction pipeline.
The attack chain was initiated when victims received a manipulated Calendly calendar invite containing a typosquatted Zoom meeting link. Upon clicking the link, victims were presented with a fake Zoom meeting interface that covertly exfiltrated their live camera feed while simultaneously executing a ClickFix clipboard injection attack. This technique, which tricks users into pasting and running malicious PowerShell commands, allowed the attackers to deploy a multi-stage credential extraction pipeline that plundered browser data and cryptocurrency wallet extensions.
Arctic Wolf researchers noted that the execution chain progressed from the initial click to full system compromise in under five minutes. The threat actor maintained persistent access to compromised systems for an average of 66 days, exfiltrating sensitive data via a PowerShell-based command-and-control (C2) implant, an AES-encrypted browser injection payload, and a Telegram Bot API screenshot exfiltration mechanism.
The campaign's infrastructure revealed a self-sustaining deepfake pipeline. The attackers' media server hosted over 950 files, including exfiltrated victim webcam footage that was merged with AI-generated images to create fake meeting content. This deepfake material was then used to impersonate previous victims in subsequent attacks, creating a self-reinforcing social engineering loop. Arctic Wolf identified over 80 typosquatted Zoom and Microsoft Teams domains registered between late 2025 and March 2026 on the same infrastructure.
The geographic distribution of victims spans over 20 countries and five regions, with the heaviest concentration in the United States (41%), followed by Singapore (11%) and the United Kingdom (7%). A large proportion of targets (80%) worked in crypto, blockchain finance, or adjacent sectors, with 45% being CEOs or founders. The researchers identified 100 additional targets whose compromised media was hosted on attacker infrastructure, suggesting the campaign is ongoing.
BlueNoroff, also known as APT38, Sapphire Sleet, TA444, Stardust Chollima, CageyChameleon, and Nickel Gladstone, has been active since at least 2014 and is described as the financial cybercrime arm of the Lazarus Group. The group first gained notoriety through the 2016 Bangladesh Bank SWIFT heist, in which it attempted to steal $951 million, successfully transferring $81 million. Since then, BlueNoroff has pivoted toward targeting the cryptocurrency and web3 ecosystem through its long-running SnatchCrypto operation.
Some tools and infrastructure used in this campaign are consistent with a known fake conference campaign publicly attributed to BlueNoroff by Kaspersky and Huntress. The Arctic Wolf report provides a comprehensive analysis of the full attack lifecycle, offering critical indicators of compromise for defenders. Organizations in the cryptocurrency and blockchain sectors should implement strict verification procedures for meeting invitations, deploy clipboard monitoring solutions, and educate employees about the risks of ClickFix-style attacks and deepfake-based social engineering.