Hackers Use ClickFix Scam to Target Crypto Executive via Fake Zoom Meetings

One of the Google-owned cybersecurity consulting firms said a hacker group in North Korea is targeting executives of cryptocurrency and decentralised finance companies to run crypto theft campaigns. Hackers hack the Telegram accounts hacked to infect targeted systems and fake Zoom meeting links to dupe victims are used by the hackers. The hackers change passwords to block user access after gaining access to their victims’ credentials and accounts. When a user joins the fake Zoom meeting, they are shown AI-generated videos to gain their victims’ trust.

North Korean Hackers Use AI-Generated Videos to Dupe Crypto Executives via ClickFix

The Record reports that a group of North Korean hackers attacked ‘an official for the cryptocurrency company’ through smacked Zoom meeting, multiple malware and social engineering manoeuvres. Mandiant Cybersecurity Consulting, a company owned by Google-owned mandianted, published ‘the report on how UNC1069 hackers who exploit the ClickFix scam to target entities in the cryptocurrency and decentralised finance industry’ Tuesday.

Mandiant explained that the North Korean bad actor used a social engineering scheme where victim was called through an ‘compromised Telegram account’. user is sent a fake Zoom meeting link, which contains the ClickFix infection vector and then sends to the user. The Zoom meeting shows AI-generated deep fake videos of people for the victims in the Zoom meet, which makes the video on a real Zoom encounter appear.

UNC1069 hacker uses seven “unique malware families” as part of the ClickFix scam, Mandiant calls SILENCELIFT, DEEPBREATH and CHROMEPUSH (a set of tools specifically designed to access the data of victim). A hacker also uses several infected files, called WAVESHAPER and HYPerCALL, for backdoor access to the victim’s system. Backed actors for cryptocurrency and other financial scams, including credentials, browser data (and session token) steal user details such as credentials.

The cybersecurity consulting firm also noted that the UNC1069 threat actor has ‘invented into injecting targeted systems with new malware families, as well as SUGARLOADER — from AI-enabled attacks’. A report by Google Threat Intelligence Group (GITG) describing the UNC1069 hacker is said to be “a use of Gemini” for “developing tooling, conducting operational research and helping” while researching about the victim.

As with the latest reported incident, in May 2025, a Founding Partner at Hashed, an blockchain company, Ryan Kim, told how he was recently targeted by ‘a group of hackers via Telegram’. The meeting was set up by Kim through Calendly for a meeting of Kim. He was later sent a link to ‘fake Zoom meeting’, prompting he received – as well as obtaining. As Kim attended the meeting, he met with several crypto industry figures.

He noted that the audio was not working on Zoom and other attendees appeared to be deepfakes. The Hashed executive was again asked to install the SDK update, which he did unknowingly infected his system during the process. The attacker, who was able to block access to the instant messaging app from other devices using the Telegram Desktop session, changed his password and recovery mail. Even the bad actor bypassed 2FA on Telegram.