North Korean Hackers Impersonate Zoom to Breach Gambling Firm
A representative of a Canadian online gaming company thought they were having a standard Zoom call with a familiar contact but was instead conversing with North Korean hackers using a fraudulent version of the platform.
According to Field Effect Analysis, BlueNoroff, a subgroup of the infamous North Korea-supported hacker group Lazarus Group, struck the unnamed company on May 28.
BlueNoroff is a financially driven threat actor that usually focuses on banks and crypto exchanges, along with the gaming and entertainment sectors, and fintech firms, to generate funds for North Korea.
The gang has taken over US$1.3 billion since 2017, primarily via SWIFT banking thefts and cryptocurrency heists.
Deep Fake
Field Effect reported that BlueNoroff set up a counterfeit website mimicking an official Zoom support page to target the gaming company. The assailants impersonated a legitimate business associate and arranged a Zoom meeting with the target utilizing deep-fake technology.
Throughout the Zoom meeting, the hackers feigned “audio problems,” and the victim was instructed to execute a “Zoom audio repair script” to resolve the issue. However, the script contained malware.
After execution, the script initiated a sequence of downloads and commands, requesting the user's system credentials and discreetly installing several malicious payloads. This enabled the hackers to obtain various sensitive personal and system information, specifically targeting cryptocurrency-related assets and messaging details.
According to Field Effect, the assault seems to be part of a larger Zoom spoofing initiative initially identified in March 2025, primarily aimed at cryptocurrency companies.
“It exemplifies an evolving pattern in which financially motivated threat actors continue refining their tradecraft, embedding malicious activity within legitimate business workflows and exploiting user trust as the primary attack surface,” the analysts wrote.
Bangladesh Bank Theft
BlueNorroff achieved its most infamous milestone in February 2016, when the group managed to deploy malware into the Bangladesh Bank's servers. This enabled them to gain credentials to approve 35 transfer requests from the New York Fed to accounts in Sri Lanka and the Philippines, amounting to nearly $1 billion.
Out of the 35 payments, five amounting to US$101 million were completed before an individual at the New York Fed detected an issue and halted additional transactions.
Approximately $20 million reached Sri Lanka and was swiftly retrieved. The remaining funds were moved to four accounts at Philippine bank RCBC, opened that very day using fictitious identities. From that point, it entered the loosely monitored Philippine casino sector, where it was washed at high-stakes gaming tables, then vanished completely.
