North Korean Hackers Impersonate Zoom to Breach Gambling Firm

  • Hackers used deepfakes in a spoofed Zoom meeting
  • Victim ran fake support script that installed malware
  • Attackers stole credentials, crypto data, and messaging info

A representative of a Canadian online gambling provider who believed they were conducting a routine Zoom call with a known contact was actually talking to North Korean hackers on a spoofed version of the communications platform.

BlueNoroff, Lazarus Group, Zoom phishing attack, Cryptocurrency theft, Deepfake social engineering
The North Korea-backed BlueNoroff group created a fake website that looked like an official Zoom support page to target a Canadian gaming company, according to analysts. (Image: Shutterstock)

The unnamed company was hit by BlueNoroff on May 28, a subgroup of the notorious North Korea-backed hacker group Lazarus Group, according to Field Effect Analysis.

BlueNoroff is a financially motivated threat actor that typically targets banks and crypto exchanges, as well as gaming and entertainment industries, and fintech companies, to raise revenue for North Korea.

The group has stolen more than US$1.3 billion since 2017, largely through SWIFT banking thefts and crypto heists.

Deep Fake

Field Effect said that BlueNoroff created a fake website that looked like an official Zoom support page to target the gaming company. The attackers spoofed a real business contact and set up a Zoom call with the victim using deep-fake technology.

During the Zoom call, the hackers staged audio issues,” and the victim was told to run a “Zoom audio repair script” to fix the problem. But the script was malware.

Once executed, the script launched a series of downloads and commands, prompting the user for system credentials and silently installing multiple malicious payloads. This allowed the hackers to steal a range of sensitive personal and system data, with a clear focus on cryptocurrency-related assets and messaging data.

The attack appears to be part of a broader Zoom spoofing campaign first spotted in March 2025 that has largely targeted crypto businesses, according to Field Effect.

“It exemplifies an evolving pattern in which financially motivated threat actors continue refining their tradecraft, embedding malicious activity within legitimate business workflows and exploiting user trust as the primary attack surface,” the analysts wrote.

Bangladesh Bank Heist

BlueNorroff’s crowning glory came, notoriously, in February 2016, when the group successfully introduced malware into the servers of the Bangladesh Bank. This helped them obtain credentials to authorize 35 requests for transfers from the New York Fed to accounts in the Philippines and Sri Lanka, totaling almost $1 billion.

Five of the 35 payments, totaling US$101 million, were processed before someone at the New York Fed smelled a rat and blocked further transactions.

Around $20 million ended up in Sri Lanka and was quickly recovered. The rest was transferred to four accounts at Philippine bank RCBC, which had been opened the same day under false names. From there it made its way into the lightly regulated Philippine casino industry where it was laundered at VIP gaming tables, before disappearing without a trace.

Philip Conneller
Philip Conneller Senior Reporter

In Philip Conneller’s eight years with Casino.org, he has covered the gaming industry from Las Vegas to Macau and everything in between. He currently focuses his coverage on gaming law, white-collar crime, global money laundering, tribal gaming, politics, and regulation.

Philip was the original features editor for poker’s Bluff Magazine and editor for Bluff Europe, which he helped launch. His writing has also been featured in ESPN, Forbes, Time Out, The Sun, and The Daily Star, as well as iGaming Business, eGaming Review, and numerous other industry news and tech websites.

His news stories for Casino.org/news have been linked by The Washington Post, The Daily Mail, People Magazine, and Jimmy Fallon's Tonight Show, among many others.

Philip once won $20,000 with 7-2 off-suit. He has been reprimanded for unwittingly playing Elton John’s piano on two separate occasions on both sides of the Atlantic.

He became a writer because he is a lousy pianist.

Philip lives outside London with his wife and children, where he spends his time agonizing about Arsenal FC.

Contact Philip at philip.conneller@casino.org.

Comments icon

Conversation (0)

+ Add a comment

Be the first to comment on this article.

Write a comment

Your email address will not be published.