A North Korea-linked campaign is leaning on impersonation and social engineering to hit crypto firms, according to NewsData.io.

The operation pairs stolen Telegram accounts with fake video calls, including Zoom-style sessions, to get targets to click through to a malicious payload. NewsData.io also reports ClickFix attacks as part of the chain used to deliver infostealer malware.

Attack path: fewer “break in” steps, more “get the click” steps

This campaign’s strength is in process, not in cryptography. NewsData.io describes a combination of:

  • Stolen Telegram accounts to establish legitimacy in the target’s chat ecosystem.
  • Fake Zoom video calls to maintain pressure and credibility in real time.
  • ClickFix attacks to steer the victim to the next step.
  • Infostealer malware deployment after the interaction.

For crypto companies, the consequence is blunt. If the initial access looks like normal business chatter, endpoint and email filters can miss the pivot point. The “video call” becomes the delivery mechanism for the wrong link, file, or interaction.

Why video impersonation matters more than it sounds

NewsData.io frames the scheme around deepfake video calls. That changes the security conversation from “did someone email you from an odd address” to “did a real person join your call, and did you verify the off-camera details?”

did a real person join your call, and did you verify the off-camera details?

Even with strong technical controls, human verification breaks down when an attacker can simulate familiarity and urgency during a live session. In this case, stolen Telegram accounts likely help set the stage before the call happens.

What defenders can take from the chain

NewsData.io does not list specific victim organizations, timelines with timestamps, or malware hashes in the provided excerpt. But the workflow it describes points to practical controls that target the weak links rather than only the malware.

Consider focusing on:

  • Identity hygiene for messaging accounts. If Telegram logins are compromised, assume social proof is no longer reliable.
  • Call hygiene. Treat unexpected video-call requests as a prompt for out-of-band verification.
  • Link and interaction gating. If ClickFix-style tricks get the victim to click or follow, the defense needs to slow down that decision.
  • Infostealer readiness. Ensure telemetry can spot credential and session theft patterns rather than only “known bad” files.

NewsData.io’s wording is incident-oriented. That matters because campaigns like this often succeed through repeated attempts, not one dramatic exploit.

The unanswered questions

NewsData.io’s excerpt confirms the attack ingredients at a high level, but leaves key specifics open. For example, it does not say:

  • Whether the deepfake aspect was used to impersonate a specific executive, partner, or vendor.
  • How victims were selected and whether crypto firms were targeted for particular systems.
  • What the infostealer ultimately exfiltrated beyond the generic category.
  • How defenders can distinguish this campaign’s links or deployment steps from normal remote work activity.

Those gaps are important. Without them, teams can harden generally, but they cannot build precise detections.

Still, the combination NewsData.io reports is clear enough to treat as a playbook risk. Stolen Telegram accounts plus fake Zoom calls plus ClickFix-style manipulation is a pipeline meant to convert trust into execution.