Phone cloning and AI deepfakes: how North Korean hackers are targeting crypto professionals

The crypto industry is facing a new wave of cyber threats. North Korean hackers associated with Lazarus Group are employing innovative attack methods, including deep integration of phone cloning technologies and AI-generated videos. This combination allows them to infiltrate crypto professionals’ systems with unprecedented efficiency and steal digital assets.

According to research firms such as Odaily and Huntress, malicious actors are using compromised Telegram accounts to initiate video calls with fake faces. They impersonate acquaintances, colleagues, or trusted individuals to persuade victims to install malicious software.

Video Calls with Fake Faces: Lazarus Group’s New Tactic

Martin Kuharz, co-founder of BTC Prague Conference, shared details of one such attempt. The attackers initiate video calls through hacked accounts and use AI-generated deepfakes to impersonate identities. Under the pretext of fixing sound issues in Zoom, they persuade users to download a special “plugin” or “update.”

This turns out to be the entry point for phone cloning and the installation of multi-layered malware. The victim, thinking they are resolving a technical problem, actually grants hackers full access to their device.

Multi-layered Infection: How Malware Takes Over Devices

Huntress research revealed that downloaded scripts are capable of executing complex operations on macOS devices. Infected equipment becomes a target for backdoors—hidden entry points through which hackers can return to the system at any time.

The malware’s capabilities extend far beyond simple espionage:

• Recording all keystrokes (including passwords and access codes)
• Intercepting clipboard contents (which may contain wallet information)
• Gaining access to encrypted assets and cryptocurrency wallets
• Cloning device data for use in subsequent operations

Device Cloning and Crypto Asset Theft

Experts from SlowMist note that these operations show clear signs of a deliberate campaign targeting specific individuals. Each attack is carefully planned and tailored to a particular crypto professional or wallet.

The group, also known as BlueNoroff, uses device cloning data not only for short-term access but also for long-term control. They can monitor transactions, track asset movements, and wait for the perfect moment to steal.

Particularly dangerous is the fact that phone cloning allows attackers to bypass standard two-factor authentication methods based on SMS codes sent to the victim’s device.

Protecting Against Advanced Attacks: Practical Security Measures

With the spread of voice and face cloning technologies, video and audio materials are no longer reliable for identity verification. the crypto industry must urgently rethink its security approach.

Experts recommend implementing the following measures:

• Multi-factor authentication (MFA) — do not rely solely on SMS; use hardware security keys
• Identity verification through independent channels — call a known number if you doubt the authenticity of a video call
• Regular security updates — keep software and applications up to date to patch vulnerabilities
• Device monitoring — watch for unusual activity, suspicious processes, system changes
• Isolation of critical assets — store large sums in cold wallets not connected to the internet

North Korean hackers continue to refine their tactics, utilizing advanced AI and cloning technologies to bypass traditional defenses. The crypto industry must stay vigilant and continuously adapt its security strategies to counter these growing threats. Only a comprehensive cybersecurity approach, including phone cloning detection for suspicious activity and strengthening multi-factor authentication, can provide reliable protection for crypto professionals.