Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

North Korea-linked actor targets Web3 execs in social-engineering campaign

Founders and other top executives were compromised to gain access to crypto wallets.

Published April 27, 2026
David Jones's headshot
Reporter
Businessmen use Bitcoin to lure others into a trap
Getty Images

Researchers warn that a financially motivated unit of North Korea’s Lazarus Group has been running a social-engineering campaign that uses fake Zoom or Teams calls against senior-level executives in cryptocurrency and blockchain. 

The threat actor, tracked as BlueNoroff, targeted a legal executive at an international consulting firm with a Calendly calendar invite that contained a typo-squatted Zoom link. This led to exfiltration of meeting footage from live camera feeds, according to a Monday blog post from Arctic Wolf.   

The hackers targeted about 100 different executives spread across more than 20 countries. About 40% of the victims were based in the U.S., with Singapore and the U.K. also among the most targeted countries. The targets included decentralized finance founders, exchange operators, blockchain wallet developers and others, according to Arctic Wolf researchers.

Individuals were targeted due to their “direct access to private keys, wallet infrastructure, and exchange administration” panels, demonstrating the goal to be able to access to crypto wallets.

Researchers said the hackers conducted deep reconnaissance on selected targets to make the attacks more credible.

“The attackers appear to have conducted detailed investigative work prior to setting up each fake meeting,” Ismael Valenzuela, VP of threat intelligence at Arctic Wolf, told Cybersecurity Dive. “The attacker's ability to populate a fake Zoom or Teams call with recognizable industry figures, tailored to the specific target’s professional network, represents a potent social engineering capability on behalf of the threat actor.”

More than 80 typo-squatted Zoom or Teams domains were registered over a five-month period starting in late 2025. Researchers also analyzed about 950 files from the attacker infrastructure, which showed how stolen web footage was combined with AI-generated images to create fabricated content for future social engineering attacks.

The activity appears consistent with previously documented BlueNoroff activity. Researchers at Huntress and Kaspersky have researched earlier threat campaigns targeting Web3 organizations.

The Huntress blog documented a 2025 social engineering attack based on a single endpoint intrusion. Huntress officials said the campaign outlined by Arctic Wolf demonstrates a major escalation in capabilities. 

Jon Semon, principal security operations analyst at Huntress told Cybersecurity Dive, “I can say with confidence that BlueNoroff has grown substantially in the six to eight months since our [research], in terms of tooling, infrastructure, malware development, and overall attack volume.”

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Cobalt Iron Launches Compass Tape Gateway™
From Cobalt Iron
April 15, 2026
Cobalt Iron logo
Blackpoint Cyber Releases 2026 Threat Report
From Blackpoint Cyber
April 07, 2026
Blackpoint Cyber logo
Protectors Edge: Leadership through Strategy and Action
From 360 Privacy
April 24, 2026
360 Privacy logo
Akto Announces Partnerships with LangChain, Portkey, TrueFoundry, Arcade, and LiteLLM to expan…
From Akto Io Inc
April 23, 2026
Akto Io Inc logo
Editors' picks
Latest in Cyberattacks
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell