A hacking team associated with the North Korea-linked Lazarus Group has carried out a large-scale crypto theft campaign targeting more than 100 cryptocurrency organizations across over 20 countries, according to cybersecurity firm Arctic Wolf.
The campaign, attributed with “high confidence” to BlueNoroff aka APT38, Sapphire Sleet, and Stardust Chollima, impersonated well-known fintech figures, distributed fake meeting invitations via spoofed Calendly links, and used typosquatted domains mimicking Zoom and Microsoft Teams to lure victims.
Researchers at Arctic Wolf Labs first detected the operation on January 23, 2026, investigating an intrusion at a North American cryptocurrency company. The attack began with a manipulated calendar invite that directed the victim to a fake Zoom interface, which captured webcam footage while deploying a clipboard injection attack designed to harvest credentials.
According to the report, the attackers executed a multi-stage credential theft targeting sensitive data, particularly cryptocurrency wallet extensions. Despite a delay of nearly five months between initial contact and execution, the compromise itself took less than five minutes from the victim’s first click to full system access.
The threat actors reportedly maintained access to compromised systems for up to 66 days. Further investigation uncovered at least 100 additional victims whose stolen media was stored on attacker-controlled infrastructure.
The majority of campaign’s victims were based in the United States (41%), 11% in Singapore, and 7% in the United Kingdom. Approximately 80% of targets were involved in cryptocurrency or blockchain-related industries, and nearly half were CEOs or founders.
Researchers also identified more than 80 fraudulent domains registered between late 2025 and March 2026. They also found a media server hosting over 950 files described as a “self-sustaining deepfake pipeline,” where stolen webcam footage was combined with AI-generated imagery to create convincing fake meeting content for future attacks.
The attackers used PowerShell-based command-and-control implants, AES-encrypted browser injection payloads, and Telegram bot mechanisms for data exfiltration.
BlueNoroff is believed to be the financial cybercrime arm of the Lazarus Group, which has been active since at least 2014 and is operating under North Korea’s Reconnaissance General Bureau. The group gained global attention following the 2016 Bangladesh Bank heist, in which hackers attempted to steal $951 million and successfully transferred $81 million.