In a blog post, the cybersecurity company Field Effect claimed that a “North Korean threat actor” named BlueNoroff attacked as part of a “broader Zoom-themed campaign traced back to at least March 2025.”

‘North Korean Zoom Attacks’ On The Rise?

The security provider explained that on the morning of May 28, the gambling firm’s employees had scheduled a Zoom meeting on crypto-related matters with a contact they had previously worked with.

During the call, the gambling firm employees complained of a range of audio issues and pop-up warnings. The contact prompted the victim to run a “Zoom audio repair tool.”

However, the interlocutor was a hacker “impersonating a known contact.”

Soon, the “tool” installer began downloading benign software that leveraged legitimate Zoom components and permissible domains.

However, Field Effect explained that a closer examination of the script revealed “approximately 10,000 blank lines, followed by a command to download and execute an initial malware script.”

The gambling firm employees were eventually redirected to a Zoom-themed domain that “is not affiliated with the official Zoom platform.”

Once installed, the malware allegedly let the hackers collect sensitive information from the gambling firm’s networks.

These included keychain files and web browser profiles, such as login data, cookies, history, and extension settings.

The historical activity of the hackers and their post-exploitation activities suggest that they were hunting for crypto, as well as additional assets, harvestable credentials, and enterprise data.

The campaign employed a combination of social engineering methods and layered persistence.

The security company said there was a “strong likelihood” that the hackers wanted to steal coins from the gambling firm’s linked crypto wallets.

Field Effect claims that BlueNoroff was a financially motivated subgroup of the North Korean state-sponsored Lazarus Group.

Did Lazarus Mastermind Hack?

Analysts say that Lazarus has pulled off a vast number of hacks since it was founded in 2010. The most recent of these is allegedly the $11 million hack of the Taiwan-based crypto exchange BitPro in May.

Experts allege Lazarus is a unit of the Pyongyang-based Reconnaissance General Bureau. They say its goal is to generate funds for the North Korean regime.

Pyongyang has repeatedly denied allegations that it operates teams of crypto-hunting hackers, claiming that cyber-subterfuge is the unique preserve of Washington and its allies.

Field Effect claimed that BlueNoroff is also known as APT38, Stardust Chollima, BeagleBoyz, and NICKEL GLADSTONE.

It said the group consistently targets South Korea, Japan, North America, and Europe-based financial institutions, crypto firms, gaming companies, entertainment players, and fintech providers.

Security Firms: Hackers Operate on LinkedIn, Telegram

Earlier this month, the cybersecurity provider Huntress reported on its blog that an unnamed crypto firm also suffered a security breach at the hands of BlueNoroff.

The provider wrote: “An employee at a cryptocurrency foundation received a message from an external contact on their Telegram. The message requested time to speak to the employee.” 

It continued: “The attacker sent a Calendly link to set up a meeting time. The link was for a Google Meet event. But when clicked, the URL redirected the end user to a fake Zoom domain controlled by the threat actor.”

Similarly, the crypto firm staffer then joined the group Zoom meeting, which “contained several deepfakes of known senior leadership within their company.”

When the crypto company employee experienced microphone issues, the deepfakes prompted them to download malware disguised as a Zoom extension, providing a link via Telegram.

Social Engineering Attacks

South Korean security providers have previously accused North Korean hackers of orchestrating sophisticated scams using virus-containing software distributed on platforms like LinkedIn.

In some cases, hackers have reportedly circulated trojans disguised as PDF files, LinkedIn updates, and Microsoft PowerPoint documents.

In many cases, would-be attackers allegedly pose as former employees or account executives at job search companies.

Last month, public prosecutors in South Korea said they were investigating a man they suspect of launching illegal gambling sites with the help of Pyongyang-based hackers.

The post North Korean Hackers Blamed for Zoom Attack on Canadian Gambling Firm appeared first on CasinoBeats.

The newspaper MBN reported that officers think the websites garnered billions of won in profits, with some of the money ending up in North Korea. One billion won is equal to around $704,00.

The newspaper quoted the Seoul Central District Prosecutors’ Office-run Public Investigation Division stating that it is currently interrogating an unnamed man in his 50s.

North Korean Hackers Sent Software to Gambling Operator

The man has been retained in custody on suspicion of violating the terms of the National Security Act.

Prosecutors think the man first established contact with North Korean hackers in 2022. They say the parties communicated via the Telegram chat app.

Shortly after, officials claim, the man launched an illegal gambling site, using servers based in China. The hackers provided him with software to help build and run the site, prosecutors say.

Police launched a probe into the sites and the suspect earlier this year. And on May 7, the Seoul Metropolitan Police Agency’s Security Investigation Unit swooped, sealing the arrest.

The prosecution plans to indict the man after investigating suspicions that he committed additional crimes.

Police Arrest ‘Proxy Gambling Live Streamer’

Meanwhile, the media outlet Newsis reported that police have arrested a live streamer who they think placed illegal bets on online slots platforms for his viewers.

The Jeju West Police Station, in the island province of Jeju, says it has handed the case over to the prosecution service.

The man (also unnamed and aged in his 40s) is suspected of gambling on behalf of viewers and exchanging virtual in-game currency for fiat.

Officers say the man and two suspected accomplice live streamers began placing bets for viewers in September 2023.

The trio used an office in Seoul as a broadcasting studio, police say, and continued offering proxy gambling and money exchange operations until officers conducted a raid in early April.

Police think the trio received several cash deposits worth 300 million won ($211,500) from their viewers, playing the machines on their behalf. If the streamers won, they would send the viewers the cash equivalent of their winnings.

The chief suspect also helped viewers buy and sell some 12.5 billion won ($8.8 million) virtual in-game currency. Officers think the chief suspect made around 3 billion won ($2.1 million) from the operation.

Manhunt Continues

Police said they arrested the man at an address in Seoul on April 9. Investigators added that they were also trying to track down more broadcast jockeys (live streamers) who they suspect of facilitating proxy gambling.

Officers are also trying to find some of the “high-stakes gamblers” who use broadcast jockeys to place bets on their behalf.

A spokesperson for the Jeju West Police Station said that the popularity of proxy betting games was on the rise in the province. The official added the force would “focus on cutting off criminal activity and illegal gambling at the source.”

Earlier this year, officers in Seoul arrested 37 people in a raid on a suspected illegal casino operating hub housed in a furniture store.

The country’s National Police Agency has also announced the launch of a third annual crackdown on hold ‘em pubs nationwide.

Thousands of hold ‘em pubs operate in the country, offering patrons casino-like experiences without supposedly allowing “real-money” betting.

Previous hold ‘em crackdowns have seen investigators charge 4,843 people with gambling or running illegal gambling establishments.

The post South Korean Man ‘Launched Illegal Gambling Site With Help from North Korean Hackers’ appeared first on CasinoBeats.