New Deepfake Phishing Attack Via Zoom or Microsoft Teams Call Attacking Bitcoin Users

[Brownie2019]

Content source

https://cybersecuritynews.com/new-deepfake-phishing-attack-via-zoom/

A dangerous phishing campaign is targeting cryptocurrency holders through video calls that use artificial intelligence to create fake versions of trusted contacts.
The attack spreads through Telegram and relies on Zoom or Microsoft Teams to deliver convincing deepfake videos that trick victims into installing harmful software.
This method combines social engineering with advanced AI technology to steal Bitcoin, credentials, and Telegram accounts from unsuspecting users.
The attack begins when victims receive a video call invitation through Telegram, appearing to come from someone they know and trust.
When the call connects, the victim sees what looks like their contact on video, but the image is actually an AI-generated deepfake. The attackers use this false sense of security to manipulate victims into taking dangerous actions that compromise their systems.
During the call, attackers claim they are experiencing audio problems and cannot hear properly. They then instruct the victim to download and install what they describe as an audio plugin or update to fix the issue.
Bitcoin News analysts identified this as the critical moment when the attack succeeds. Once installed, this malicious software gives attackers complete control over the victim’s computer, allowing them to steal cryptocurrency wallets, login credentials, and hijack Telegram accounts.
The campaign has already affected members of the Bitcoin community, with Bitcoin treasury strategist Ed Juline nearly falling victim to an attack that impersonated Martin Kuchař, co-founder of BTC Prague.
Despite being aware of similar threats and recognizing familiar faces on video, Juline was almost fooled by the fake audio update prompt. He avoided compromise only after receiving an urgent warning to disconnect his computer immediately.
Attack Chain and Social Engineering Tactics
The success of this attack relies on exploiting human trust rather than technical vulnerabilities.
Attackers use compromised Telegram accounts to reach new victims, making the initial contact appear legitimate since it comes from a known connection.
The deepfake technology creates a visual confirmation that reinforces trust, making victims less suspicious when asked to install software.
The urgency created by fake audio problems pushes victims to act quickly without thinking through the potential risks.
Once a system is compromised, attackers use the stolen Telegram account to continue spreading the attack to more victims, creating a self-perpetuating cycle that expands the campaign’s reach throughout the cryptocurrency community.

 

[Divergent]

Malicious Artifacts​

Payload Type
Malicious "audio plugin" or "audio update" software.

Delivery Mechanism
Links provided during live deepfake video calls on Zoom or Microsoft Teams.

Initial Vector
Invitation links sent via Telegram from compromised accounts.

​

Targeted Information (Exfiltration)​

The malicious software aims to steal.

Cryptocurrency Wallets
Specifically targeting Bitcoin holders.

Login Credentials
For various sensitive accounts.

Session Data
Hijacking Telegram accounts to propagate the attack.

​

Campaign Metadata​

Date Reported
January 27, 2026.

Platform Targets
Zoom, Microsoft Teams, Telegram.

Social Engineering Tactic
Real-time deepfake impersonation of trusted contacts combined with a claim of "audio problems" to create urgency.

Remediation & Recovery​

If you have participated in a suspicious call or installed an unverified plugin.

Immediate Isolation
Disconnect the affected computer from all networks (Wi-Fi and Ethernet) immediately to stop active data exfiltration.

Identity Revocation
From a clean device, access Telegram settings and "Terminate all other sessions" to prevent the attacker from using your account to spread the malware.

Credential Reset
Change passwords for all sensitive accounts, especially cryptocurrency exchanges and email providers, and reset Multi-Factor Authentication (MFA) seeds.

Forensic Cleanup
Perform a full system wipe and restore from a known-good backup. Because the malware provides "complete control," standard antivirus may not be sufficient to ensure persistence removal.

Post-Incident Hardening​

To mitigate risks from Deepfake-as-a-Service (DaaS), implement the following NIST-aligned control.

Out-of-Band Verification
Establish a "Challenge-Response" protocol or "Safe Word" with high-value contacts for any request involving software installation or financial transactions. Never install software or plugins directly from a link provided during a live call.

References​

Cybersecurity News - Deepfake Phishing Attack Via Zoom/Teams

NIST SP 800-61 Rev. 2 - Computer Security Incident Handling Guide