New Deepfake Phishing Attacks via Zoom and Microsoft Teams Target Bitcoin Users

A new and highly sophisticated deepfake phishing attack is actively targeting Bitcoin and cryptocurrency users through video calls on Zoom and Microsoft Teams. Unlike traditional phishing emails or fake websites, this campaign relies on real-time social engineering using AI-generated video and voice, making it far more convincing and dangerous.

Security researchers report that these attacks are ongoing and have already resulted in millions of dollars in stolen cryptocurrency.

How the Attack Works

The attack usually begins with a message from what appears to be a trusted contact—a colleague, business partner, or well-known figure in the crypto community. In many cases, attackers first compromise Telegram, email, or social media accounts to make the invitation look legitimate.

Victims are invited to join a Zoom or Microsoft Teams call to discuss business, investments, or urgent security matters. Once inside the meeting:

The attacker appears on camera using AI deepfake video and voice cloning
In some cases, pre-recorded videos are used instead of live deepfakes
The attacker builds trust quickly, often referencing real industry details
A sense of urgency is created (security issue, deal deadline, wallet risk)

During or after the call, the victim is instructed to install software, such as:

A “meeting update”
A “security patch”
A “presentation tool” or “wallet verification app”

This software is actually malware, often a Remote Access Trojan (RAT), designed to:

Steal passwords and browser data
Extract crypto wallet private keys
Monitor screens and keystrokes
Drain Bitcoin and other crypto wallets

Who Is Behind These Attacks?

While not every incident is fully attributed, cybersecurity firms have linked similar campaigns to BlueNoroff, a subgroup of the Lazarus Group associated with North Korea.

BlueNoroff has a long history of:

Targeting blockchain companies and crypto executives
Using fake job interviews, investment meetings, and now deepfake video calls
Deploying custom malware focused on cryptocurrency theft

Why This Scam Is So Effective

These attacks work because they exploit human trust, not software vulnerabilities.

Key factors include:

Familiar faces and voices instantly lower suspicion
AI deepfake tools are now cheap and accessible
Crypto professionals are used to remote calls and fast-moving deals
Video calls feel more “secure” than emails, even when they are not

Traditional phishing awareness often fails because the victim believes they are speaking to a real person they know.

How to Protect Yourself

Before joining a call

Verify the request using a separate communication channel
Be suspicious of unexpected meetings, especially involving money or security

During a call

Never install software or browser extensions suggested during a meeting
Never share private keys, seed phrases, or screen access

General security

Use hardware wallets for storing Bitcoin and crypto
Enable multi-factor authentication (MFA) on all accounts
Avoid joining calls from machines that store wallets or sensitive data

For organizations, Microsoft has begun rolling out anti-spoofing and brand-impersonation warnings in Teams—an acknowledgment that this threat is rapidly growing.

Final Takeaway

This campaign marks a turning point in phishing attacks. AI-powered deepfakes combined with live video calls represent one of the most convincing social-engineering threats seen in the crypto space so far.

The technology will only improve. Awareness, verification, and strict security habits are now essential—not optional—for anyone holding or managing Bitcoin.