Encryption

North Korea-linked hackers deploy fake Zoom malware to steal crypto

North Korean hackers have reportedly used deepfake technology to impersonate executives during a fake Zoom call in an attempt to install malware and steal cryptocurrency from a targeted employee.

Cybersecurity firm Huntress identified the scheme, which involved a convincingly staged meeting and a custom-built AppleScript targeting macOS systems—an unusual move that signals the rising sophistication of state-sponsored cyberattacks.

The incident began with a fraudulent Calendly invitation, which redirected the employee to a fake Zoom link controlled by the attackers. Weeks later, the employee joined what appeared to be a routine video call with company leadership. In reality, the participants were AI-generated deepfakes.

When audio issues arose, the hackers convinced the user to install what was supposedly a Zoom extension but was, in fact, malware designed to hijack cryptocurrency wallets and steal clipboard data.

Huntress traced the attack to TA444, a North Korean group also known by names like BlueNoroff and STARDUST CHOLLIMA. Their malware was built to extract sensitive financial data while disguising its presence and erasing traces once the job was done.

Security experts warn that remote workers and companies have to be especially cautious. Unfamiliar calendar links, sudden platform changes, or requests to install new software should be treated as warning signs.

Verifying suspicious meeting invites through alternative contact methods — like a direct phone call — is a vital but straightforward way to prevent damage.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

New SparkKitty malware targets crypto wallets

A new Trojan dubbed SparkKitty is stealing sensitive data from mobile phones, potentially giving hackers access to cryptocurrency wallets.

Cybersecurity firm Kaspersky says the malware hides in fake crypto apps, gambling platforms, and TikTok clones, spread through deceptive installs.

Once installed, SparkKitty accesses photo galleries and uploads images to a remote server, likely searching for screenshots of wallet seed phrases. Though mainly active in China and Southeast Asia, experts warn it could spread globally.

SparkKitty appears linked to the SparkCat spyware campaign, which also targeted seed phrase images.

The malware is found on iOS and Android platforms, joining other crypto-focused threats like Noodlophile and LummaC2.

TRM Labs recently reported that nearly 70% of last year’s $2.2 billion in stolen crypto came from infrastructure attacks involving seed phrase theft.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

AI data risks prompt new global cybersecurity guidance

A coalition of cybersecurity agencies, including the NSA, FBI, and CISA, has issued joint guidance to help organisations protect AI systems from emerging data security threats. The guidance explains how AI systems can be compromised by data supply chain flaws, poisoning, and drift.

Organisations are urged to adopt security measures throughout all four phases of the AI life cycle: planning, data collection, model building, and operational monitoring.

The recommendations include verifying third-party datasets, using secure ingestion protocols, and regularly auditing AI system behaviour. Particular emphasis is placed on preventing model poisoning and tracking data lineage to ensure integrity.

The guidance encourages firms to update their incident response plans to address AI-specific risks, conduct audits of ongoing projects, and establish cross-functional teams involving legal, cybersecurity, and data science experts.

With AI models increasingly central to critical infrastructure, treating data security as a core governance issue is essential.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

NATO summit overshadowed by cyber threats

NATO’s 76th summit opened in The Hague amid rising tensions in Europe and the Middle East, overshadowed by conflict and cyber threats. Leaders gathered as rushers in Ukraine dragged on, and Israel’s strikes on Iran further strained global stability.

European NATO members pledged greater defence spending, but divisions with the US over security commitments and strategy persisted. The summit also highlighted concerns about hybrid threats, with cyberespionage and sabotage by Russia-linked groups remaining a pressing issue.

According to European intelligence agencies, Russian cyber operations targeting critical infrastructure and government networks have intensified. NATO leaders face pressure to enhance collective cyber deterrence, with pro-Russian hacktivists expected to exploit summit declarations in future campaigns.

While Europe pushes to reduce reliance on the US security umbrella, uncertainty over Washington’s focus and support continues. Many fear the summit may end without concrete decisions as the alliance grapples with external threats and internal discord.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Cloudflare blocks the largest DDoS attack in internet history

Cloudflare has blocked what it describes as the largest distributed denial-of-service (DDoS) attack ever recorded after nearly 38 terabytes of data were unleashed in just 45 seconds.

The onslaught generated a peak traffic rate of 7.3 terabits per second and targeted nearly 22,000 destination ports on a single IP address managed by an undisclosed hosting provider.

Instead of relying on a mix of tactics, the attackers primarily used UDP packet floods, which accounted for almost all attacks. A small fraction employed outdated diagnostic tools and methods such as reflection and amplification to intensify the network overload.

These techniques exploit how some systems automatically respond to ping requests, causing massive data feedback loops when scaled.

Originating from 161 countries, the attack saw nearly half its traffic come from IPs in Brazil and Vietnam, with the remainder traced to Taiwan, China, Indonesia, and the US.

Despite appearing globally orchestrated, most traffic came from compromised devices—often everyday items infected with malware and turned into bots without their owners’ knowledge.

To manage the unprecedented data surge, Cloudflare used a decentralised approach. Traffic was rerouted to data centres close to its origin, while advanced detection systems identified and blocked harmful packets without disturbing legitimate data flows.

The incident highlights the scale of modern cyberattacks and the growing sophistication of defences needed to stop them.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

M&S and Co‑op hit by Scattered Spider attack

High street giants M&S and Co‑op remain under siege after the Scattered Spider gang’s sophisticated cyber‑attack this April. The breaches disrupted online services and automated systems, leading to suspended orders, empty shelves and significant reputational damage.

Authorities have classified the incident as category‑2, with initial estimates suggesting losses between £270 million and £440 million. M&S expects a £300 million hit to its annual profit, with daily online sales down by up to £4 million during the outage.

In a rare display of unity, Tesco’s Booker arm stepped in to supply M&S and some independent Co‑op stores, helping to ease stock shortages. Meanwhile, cyber insurers have signalled increasing premiums, with the cost of cover for retail firms rising by up to 10 percent.

The National Cyber Security Centre and government ministers have issued urgent calls for the sector to strengthen defences, citing such high‑impact incidents as a vital wake‑up call for business readiness.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Banks and tech firms create open-source AI standards

A group of leading banks and technology firms has joined forces to create standardised open-source controls for AI within the financial sector.

The initiative, led by the Fintech Open Source Foundation (FINOS), includes financial institutions such as Citi, BMO, RBC, and Morgan Stanley, working alongside major cloud providers like Microsoft, Google Cloud, and Amazon Web Services.

Known as the Common Controls for AI Services project, the effort seeks to build neutral, industry-wide standards for AI use in financial services.

The framework will be tailored to regulatory environments, offering peer-reviewed governance models and live validation tools to support real-time compliance. It extends FINOS’s earlier Common Cloud Controls framework, which originated with contributions from Citi.

Gabriele Columbro, Executive Director of FINOS, described the moment as critical for AI in finance. He emphasised the role of open source in encouraging early collaboration between financial firms and third-party providers on shared security and compliance goals.

Instead of isolated standards, the project promotes unified approaches that reduce fragmentation across regulated markets.

The project remains open for further contributions from financial organisations, AI vendors, regulators, and technology companies.

As part of the Linux Foundation, FINOS provides a neutral space for competitors to co-develop tools that enhance AI adoption’s safety, transparency, and efficiency in finance.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Tether CEO unveils offline password manager

Paolo Ardoino, CEO of Tether, has introduced PearPass, an open-source, offline password manager. The launch comes in response to the most significant credential breach on record, which exposed 16 billion passwords.

Ardoino criticised cloud storage, stating the time has come to abandon reliance on it for security.

The leaked data reportedly covers login details from major platforms like Apple, Meta, and Google, leaving billions vulnerable to identity theft and fraud. Experts have not yet identified the perpetrators but point to systemic flaws in cloud-based data protection.

PearPass is designed to operate entirely offline, storing credentials only on users’ devices without syncing to the internet or central servers. It aims to reduce the risks of mass hacking attempts targeting large cloud vaults.

The tool’s open-source nature allows transparency and encourages the adoption of safer, decentralised security methods.

Cybersecurity authorities urge users to change passwords immediately, enable multi-factor authentication, and monitor accounts closely.

As investigations proceed, PearPass’s launch renews the debate on personal data ownership and may set a new standard for password security.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Cybersecurity vs freedom of expression: IGF 2025 panel calls for balanced, human-centred digital governance

At the 2025 Internet Governance Forum in Lillestrøm, Norway, experts from government, civil society, and the tech industry convened to discuss one of the thorniest challenges of the digital age: how to secure cyberspace without compromising freedom of expression and fundamental human rights. The session, moderated by terrorism survivor and activist Bjørn Ihler, revealed a shared urgency across sectors to move beyond binary thinking and craft nuanced, people-centred approaches to online safety.

Paul Ash, head of the Christchurch Call Foundation, warned against framing regulation and inaction as the only options, urging legislators to build human rights safeguards directly into cybersecurity laws. Echoing him, Mallory Knodel of the Global Encryption Coalition stressed the foundational role of end-to-end encryption, calling it a necessary boundary-setting tool in an era where digital surveillance and content manipulation pose systemic risks. She warned that weakening encryption compromises privacy and invites broader security threats.

Representing the tech industry, Meta’s Cagatay Pekyrour underscored the complexity of moderating content across jurisdictions with over 120 speech-restricting laws. He called for more precise legal definitions, robust procedural safeguards, and a shift toward ‘system-based’ regulatory frameworks that assess platforms’ processes rather than micromanage content.

Meanwhile, Romanian regulator and former MP Pavel Popescu detailed his country’s recent struggles with election-related disinformation and cybercrime, arguing that social media companies must shoulder more responsibility, particularly in responding swiftly to systemic threats like AI-driven scams and coordinated influence operations.

While perspectives diverged on enforcement and regulation, all participants agreed that lasting digital governance requires sustained multistakeholder collaboration grounded in transparency, technical expertise, and respect for human rights. As the digital landscape evolves rapidly under the influence of AI and new forms of online harm, this session underscored that no single entity or policy can succeed alone, and that the stakes for security and democracy have never been higher.

Track all key moments from the Internet Governance Forum 2025 on our dedicated IGF page.

North Korea’s BlueNoroff uses deepfakes in Zoom calls to hack crypto workers

The North Korea-linked threat group BlueNoroff has been caught deploying deepfake Zoom meetings to target an employee at a cryptocurrency foundation, aiming to install malware on macOS systems.

According to cybersecurity firm Huntress, the attack began through a Telegram message that redirected the victim to a fake Zoom site. Over several weeks, the employee was lured into a group video call featuring AI-generated replicas of company executives.

When the employee encountered microphone issues during the meeting, the fake participants instructed them to download a Zoom extension, which instead executed a malicious AppleScript.

The script covertly fetched multiple payloads, installed Rosetta 2, and prompted for the system password while wiping command histories to hide forensic traces. Eight malicious binaries were uncovered on the compromised machine, including keyloggers, information stealers, and remote access tools.

BlueNoroff, also known as APT38 and part of the Lazarus Group, has a track record of targeting financial and blockchain organisations for monetary gain. The group’s past operations include the Bybit and Axie Infinity breaches.

Their campaigns often combine deep social engineering with sophisticated multi-stage malware tailored for macOS, with new tactics now mimicking audio and camera malfunctions to trick remote workers.

Cybersecurity analysts have noted that BlueNoroff has fractured into subgroups like TraderTraitor and CryptoCore, specialising in cryptocurrency theft.

Recent offshoot campaigns involve fake job interview portals and dual-platform malware, such as the Python-based PylangGhost and GolangGhost trojans, which harvest sensitive data from victims across operating systems.

The attackers have impersonated firms like Coinbase and Uniswap, mainly targeting users in India.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!