Key Takeaways:
- Crypto insiders are being targeted by deepfake video calls that deliver macOS malware
- BTC Prague co-founder Martin Kuchař says his stolen Telegram account was used to spread the attack
- The campaign matches tactics tied to North Korea–linked BlueNoroff hackers
A crypto scam wave with a highly-targeted level is exploiting deepfake video, relationship contacts and popular work tools. BTC Prague co-founder, Martin Kuchař disclosed that attackers controlled his Telegram account to lure others into Zoom and Teams video call with malware.
Please, help me to stop 🛑 those scammers. Report this TG account which was stolen from me and is widely used to spread the attack in my name now. https://t.co/RHDWF9Qvpy pic.twitter.com/Sdepa8MH8w
— Martin Kuchař (@kucharmartin_) January 26, 2026
Read More: $50M Vanishes in Seconds: Copy-Paste Wallet Error Triggers One of Crypto’s Costliest Address Scams
Deepfake Video Calls Used as the Entry Point
Kuchař warned that the attacks often start with messages from trusted contacts on Telegram or other platforms. The victims receive an invitation to discuss the matter or also have a quick sync in a Zoom or Microsoft Teams call.
After getting the call, the attackers impersonate the trusted person through AI-generated deepfake video. They state that there is an audio problem and request the victim to install a given plug in or file so as to resolve the issue. That file gives attackers full access to the system.
According to Kuchař, this method led to the theft of Bitcoin, takeover of Telegram accounts, and further spread of the scam through hijacked identities. He urged users to treat all Telegram messages as untrusted and to avoid unverified Zoom or Teams calls.
Read More: Hackers Hijack Binance Co-CEO Yi He’s WeChat to Push Meme Coin Scam, Triggering Market Frenzy
North Korea–Linked Malware Chain Targets Mac Users
Technical details shared by Kuchař align with research from cybersecurity firm Huntress, which traced similar attacks to BlueNoroff, a hacking group linked to North Korea’s Lazarus Group.
How the Mac Infection Works
The attack starts with a spoofed Zoom domain with a faked meeting link. When victims are making the call, they are advised to download a file named Zoom support script. Actually, the file is infected by AppleScript, which starts a multi-stage attack.
The malware toolkit will consist of:
- Telegram 2, a fake updater that maintains persistence
- Root Troy V4, a remote-access backdoor
- InjectWithDyld, a stealth loader for encrypted payloads
- XScreen, a surveillance tool that logs keystrokes and screen activity
- CryptoBot, an infostealer targeting more than 20 crypto wallets
Researchers indicate that the malware will leverage valid developer signatures and place Rosetta on Apple Silicon devices in order to evade identification. This renders the attack less detectable, particularly to the Mac users who have a false sense of security that their respective systems are less vulnerable.
Crypto Theft Campaigns Grow More Sophisticated
Huntress researchers point out that Mac is an excellent target because an increasing number of crypto groups deploy Macs to the enterprise. Deepfake video injects strongly in the credibility equation, combining real-time images with the known platform.
Basic security habits revealed by Kuchař assisted in curtailing his losses. He emphasized the use of two-factor authentication, password solution, and hardware wallets. He also recommended more secure communication tools, such as Signal or Jitsi, and better browsers over more secure calls, such as Google Meet due to greater sandboxing.