Hackers Use ClickFix Scam to Target Crypto Executive via Fake Zoom Meetings

A North Korea-based hacker group is specifically targeting executives of cryptocurrency and decentralised finance companies to run crypto theft campaigns, according to a Google-owned cybersecurity consulting firm. The hackers use compromised Telegram accounts to infect targeted systems and fake Zoom meeting links to dupe victims. After gaining access to their victims' credentials and accounts, the hackers change passwords to block user access. When a user joins the fake Zoom meeting, they are shown AI-generated videos to gain their victims' trust.

North Korean Hackers Use AI-Generated Videos to Dupe Crypto Executives via ClickFix

The Record reports that a group of North Korean hackers targeted a cryptocurrency company official via a fake Zoom meeting, various malware, and social engineering manoeuvres. On Tuesday, Google-owned Mandiant Cybersecurity Consulting published a report detailing the modus operandi of UNC1069 hackers who exploit the ClickFix scam to specifically target entities in the cryptocurrency and decentralised finance industry.

Mandiant explained that the North Korean bad actor employed a social engineering scheme, where the victim was contacted via a “compromised Telegram account”. A fake Zoom meeting link is then sent to the user, which contains the ClickFix infection vector. In the Zoom meeting, the victims are shown AI-generated deep fake videos of people to make the Zoom meeting appear genuine.

As part of the ClickFix scam, the UNC1069 hacker deploys seven “unique malware families”, which Mandiant calls SILENCELIFT, DEEPBREATH, and CHROMEPUSH, which are a set of tools specifically designed to access the data of the victim. Hackers also use multiple infected files, dubbed WAVESHAPER and HYPERCALL, to gain backdoor access to the victim's system. User details such as credentials, browser data, and session tokens are stolen by bad actors for cryptocurrency and other types of financial scams.

The cybersecurity consulting firm also highlighted that the UNC1069 threat actor has expanded into injecting targeted systems with new malware families, along with SUGARLOADER, moving from AI-enabled attacks. The UNC1069 hacker is known for using Gemini to “develop tooling, conduct operational research, and assist” while researching about the victim, according to a report by Google Threat Intelligence Group (GITG).

Similar to the latest reported incident, in May 2025, Ryan Kim, a Founding Partner at Hashed, a blockchain firm, shared that he was recently targeted by a group of hackers via Telegram. A meeting was set up by Kim through Calendly. Later, a fake Zoom meeting link was sent to him, prompting as a Zoom SDK update, which then turned out to be malware. When Kim joined the meeting, he saw various personalities from the crypto industry.

He highlighted that the audio did not work on Zoom, and other attendees appeared to be deepfakes. The Hashed executive was again prompted to install the SDK update, which he did, unknowingly infecting his system in the process. Using the Telegram Desktop session, the attacker was able to restrict access to the instant messaging app from other devices, while also changing his password and recovery mail. The bad actor was even able to bypass 2FA on Telegram.