Pyongyang-backed hackers tap video calls as malware attacks target more than crypto, report warns
Published: 16 Apr. 2026, 15:55
Updated: 16 Apr. 2026, 17:45
![An AI-generated illustration shows a North Korean hacker group hacking using video calls. [CHATGPT]](https://koreaseafood.online/data/photo/2026/04/16/3240419a-a0e9-49a6-a4a7-fedffaba8fca.jpg)
An AI-generated illustration shows a North Korean hacker group hacking using video calls. [CHATGPT]
North Korean hackers are using fake video calls to steal far more than cryptocurrency, according to a cybersecurity report warning that their reach is extending to email, messaging and even AI service accounts.
BlueNoroff, a hacking group widely believed to be sponsored by Pyongyang, was singled out for increasingly sophisticated attacks in a report by cybersecurity company Kaspersky on Thursday.
The group uses tactics designed to take over victims’ broader digital work environments rather than simply drain virtual asset wallets, according to Kaspersky.
BlueNoroff poses as a venture capital investor to approach people in the blockchain-based services industry, also known as Web3.
It then sends carefully forged Zoom-style meeting links to trick targets into joining what appears to be a live call, but is actually a recorded video of a past call.
During the call, the attackers claim there is a system problem and urge the target to install an update that instead delivers malware.
The hacking attempts heavily target macOS users and include techniques to bypass protections for sensitive devices such as web cameras, microphones and folders containing documents and downloads.
![A man types on a keyboard in this photo taken in Washington, November 21, 2016. [AFP/YONHAP]](https://koreaseafood.online/data/photo/2026/04/16/b63fdc4c-83b9-46c7-914d-ad9a9029343b.jpg)
A man types on a keyboard in this photo taken in Washington, November 21, 2016. [AFP/YONHAP]
Kaspersky also warned that there is a hacking campaign specifically targeting developers.
In that operation, the attackers pose as recruiters and ask developers to open a malicious repository disguised as a technical test on GitHub, a site where software engineers and developers can upload their code and credentials.
Victims are often given only 30 minutes to complete the task, adding pressure to execute the code without proper verification.
The targets of the hackers in these cases extend well beyond crypto wallets, according to Kaspersky.
The malware is designed to harvest a wide range of digital assets, including browser-stored credentials, Telegram data, cloud and collaboration information and even artifacts linked to OpenAI accounts, allowing the attackers to seize greater control over a victim’s digital infrastructure, according to Kaspersky.
This campaign has been successful in nine regions so far, including Japan, Singapore and Hong Kong. Many of the victims were executives at Web3 and blockchain companies and venture capital firms, particularly in the Asia-Pacific region, Kaspersky said.
Security experts urged caution over unsolicited investment offers sent through Telegram and similar platforms, as well as tests that demand code execution under tight time pressure.
Kaspersky also advised users to verify the identities of their contacts through other channels before opening links or files and to avoid running unverified scripts or commands.
This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY JEONG JAE-HONG [[email protected]]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)