AI Deepfakes and Fake Updates Fuel Surge in Crypto Scams: How Hackers Bypass Trust

A crypto founder had his laptop compromised when he joined what appeared to be a Microsoft Teams call with Pierre Kaklamanos, a Cardano Foundation contact he had spoken with before. When “Pierre” reached out about Atrium and sent a Teams invite, nothing looked out of place. On the call, the face and voice matched what he remembered, and two other apparent foundation members were present. When the call lagged and dropped him, a prompt told him his Teams software was out of date and needed reinstalling through Terminal. He ran the command, then shut the laptop off because the battery was dying, which limited the damage in retrospect.

He describes himself as “quite technically savvy,” which is part of the point that the attack worked because the context felt legitimate. Social engineers have always relied on familiarity, and executing that at scale once required either a compromised account or weeks of text-based rapport-building. The video call was the authentication layer, the thing victims learned to trust, and replicating it is now within reach.

Fake Updates and AI Deepfakes: The New Tools of Crypto Scammers

Fake update campaigns documented by Microsoft in February and March 2026 involved malicious files masquerading as workplace apps, such as msteams.exe and zoomworkspace.clientsetup.exe. These files were distributed via phishing lures that mimicked legitimate Teams and Zoom meeting workflows. Microsoft also warned about “ClickFix”-style prompts targeting macOS users, instructing them to paste commands into Terminal to steal browser passwords, crypto wallets, cloud credentials, and developer keys. The fake Teams update fits both patterns simultaneously.

Google Cloud's Mandiant unit described a crypto-focused intrusion built on the same structure. A compromised Telegram account, a spoofed Zoom meeting, what witnesses described as a deepfake-style executive video, and troubleshooting commands that launched the infection. Mandiant said it could not independently verify which AI model, if any, generated the video, but confirmed the group used fake meetings and AI tools during social engineering.

Pierre Kaklamanos’ Account Hacked: A Live Campaign Signal

On April 24, the real Pierre Kaklamanos posted on X saying his Telegram had been hacked and that someone was impersonating him, along with “a few other people in the industry this week.” He told followers to avoid clicking links or booking meetings through the account and to verify contact through LinkedIn direct messages. By then, the founder had already messaged the account suggesting they switch to Google Meet. Whoever controlled Pierre's Telegram account replied that he had gotten busy and asked to reschedule, with the attacker still managing the persona once the call ended.

That exchange turns the incident from an isolated embarrassment into a live campaign signal that the method is active, the account compromise is the entry point, and the relationship history is the weapon.

Breakdown of the Attack Method