Hackers Use Deepfake Zoom Calls to Target Crypto Execs

The attack, dubbed the “ClickFix” crypto scam by investigators, begins when operators from UNC1069 gain control of a legitimate Telegram account belonging to a known figure in the digital asset industry. Using this trusted identity, they contact a targeted executive to arrange a virtual meeting, often sending a Calendly invitation that leads to a Zoom link controlled by the attackers.

When the victim joins the call, they are met with what appear to be other familiar industry participants. Mandiant assesses that some of these participants are AI-generated deepfakes intended to establish credibility. During the meeting, the attackers fabricate a technical issue, such as an audio problem, and offer to help “fix” it. This pretext is used to persuade the executive to run commands or install a supposed update, which is actually malware that compromises their device.

Mandiant’s investigation revealed that the UNC1069 group has deployed at least seven distinct malware families in these attacks. The toolkit is designed for comprehensive system compromise and data exfiltration.

• Initial Access & Evasion: Malware identified as SILENCELIFT, DEEPBREATH, and CHROMEPUSH are used to analyze the target’s system and bypass security software.
• Backdoor & Data Theft: Additional components named WAVESHAPER, HYPERCALL, and SUGARLOADER are used to establish persistent backdoor access. These tools are capable of harvesting credentials, browser data, and session tokens critical for accessing financial accounts.

Google’s threat intelligence teams also noted that the group has experimented with using large language models like Google’s Gemini and other AI tools. The stated purpose is to research potential targets and accelerate the development of their malicious software, highlighting a trend of AI adoption in offensive cyber operations.

The primary motivation behind the campaign is financial gain through the theft of cryptocurrency and other digital assets. By targeting high-level executives, the attackers aim to gain access to corporate wallets, exchange accounts, and other sensitive financial systems. The elaborate use of social engineering and deepfake technology demonstrates the lengths to which state-linked actors will go to infiltrate high-value organizations in the fintech sector.

While the methodology has been detailed, several key facts remain unknown. The Mandiant report does not specify the total monetary value of assets stolen through this campaign, the precise number of organizations successfully compromised, or the specific AI software used by the attackers to generate the deepfakes.

The risks posed by such attacks are not merely theoretical. In 2025, Hashed founding partner Ryan Kim described a similar incident where a fake Zoom link led to a malware-laden “SDK update” that compromised his Telegram account, bypassing two-factor authentication. As remote work remains prevalent in the crypto industry, security experts anticipate that attackers will continue to refine these techniques, blending social engineering with emerging AI technologies to create more convincing and effective scams.

Security firms advise individuals and organizations in the digital asset industry to adopt heightened verification measures for all communications and software installations.

• Verify Meeting Links: Independently confirm the authenticity of meeting invitations received through messaging apps. Use a secondary channel, like a direct phone call or email to a known address, to verify suspicious or unexpected requests.
• Treat “Fixes” as Red Flags: Any request during a call to install software, run system commands, or “update” an application to fix a technical problem should be considered highly suspicious.
• Secure Messaging Accounts: Lock down accounts like Telegram and Signal with the strictest possible security settings, including hardware-based two-factor authentication, device controls, and secure recovery options.
• Establish Verification Protocols: Companies should implement strict internal protocols for any action that involves transferring funds or installing software, requiring verification through multiple, independent communication channels.