North Korean cybercriminals disguised as Zoom representatives infiltrated a gambling company.
In a chilling demonstration of the evolving landscape of cybercrime, a notorious subgroup of the Lazarus Group, known as BlueNoroff, has been implicated in a major attack on a gaming company. This audacious assault, which took place on May 28, 2025, saw the hackers employ deepfake technology to trick their victim into divulging sensitive information and installing malware.
The attack began with a spoofed Zoom call, where the hackers impersonated a business contact, luring the victim into the meeting. During the call, the hackers staged "audio issues" and instructed the victim to run a "Zoom audio repair script," which was, in fact, malware. Once executed, the script launched a series of downloads and commands, prompting the user for system credentials and silently installing multiple malicious payloads.
The malware allowed the hackers to steal a range of sensitive personal and system data, with a clear focus on cryptocurrency-related assets and messaging data. Five of the 35 payments, totalling US$101 million, were processed before someone at the New York Fed blocked further transactions. The rest of the stolen funds, approximately $900 million, were transferred to four accounts at Philippine bank RCBC, which had been opened the same day under false names. From there, the funds were laundered at VIP gaming tables in the lightly regulated Philippine casino industry before disappearing without a trace.
BlueNoroff's use of deepfakes in this attack represents an escalation in their social engineering tactics, enhancing their ability to deceive targets. This innovative technique is part of a broader pattern of BlueNoroff's activities, which include historical linkages to billion-dollar cyber heists, such as the $620 million Axie Infinity Ronin Network attack in 2022. The group also persistently uses cloud-based attack vectors to target cryptocurrency firms' infrastructures and impersonates job recruiters on platforms like LinkedIn and Telegram to infiltrate organizations.
BlueNoroff operates as the Lazarus Group’s financial cybercrime arm, primarily targeting banks, crypto exchanges, gaming and entertainment industries, and fintech companies. Since 2017, they have stolen more than US$1.3 billion, primarily through SWIFT banking thefts and crypto heists. This latest attack exemplifies an evolving pattern in which financially motivated threat actors embed malicious activity within legitimate business workflows and exploit user trust as the primary attack surface.
The attack was identified by Field Effect Analysis, and around $20 million of the stolen funds ended up in Sri Lanka and were quickly recovered. As cybercrime continues to evolve, it is crucial for businesses and individuals to remain vigilant, educate themselves on the latest threats, and prioritize cybersecurity measures to protect their assets.
- The Lazarus Group's subgroup, BlueNoroff, has been linked to a major Zoom phishing attack on a gaming company, using deepfake technology for social engineering purposes.
- In this attack, BlueNoroff tricked their victim into divulging sensitive information and installing malware, which resulted in cryptocurrency theft.
- The group's innovative technique of using deepfakes is part of a broader pattern of activities, including historical linkages to significant cyber heists like the $620 million Axie Infinity Ronin Network attack in 2022.
- BlueNoroff primarily targets banks, crypto exchanges, gaming and entertainment industries, fintech companies, and uses cloud-based attack vectors and platforms like LinkedIn and Telegram for infiltration.
- The latest attack by BlueNoroff demonstrates an evolving pattern where financially motivated threat actors embed malicious activity within legitimate business workflows, exploiting user trust as the primary attack surface.
- As cybercrime continues to evolve, it is essential for businesses and individuals to prioritize cybersecurity measures, remain vigilant, and educate themselves on the latest threats to protect their assets.
