North Korean Hackers Target Crypto Firms with ClickFix and AI

Summary

A cryptocurrency company employee in North America clicked a typosquatted Zoom meeting link embedded in a fake Calendly calendar invite, initiating a multi-stage cyberattack. The fake Zoom interface covertly captured the victim’s live camera feed and deployed a ClickFix-style clipboard injection attack to extract cryptocurrency wallet information. Within five minutes of the initial click, attackers gained full system access and maintained it for 66 days. The intrusion led to the exfiltration of sensitive data from the victim’s device and browsers. The attack was part of a broader campaign targeting over 100 cryptocurrency firms across 20 countries, using AI-generated content and deepfake materials created from stolen webcam footage.