Arctic Wolf attributes a targeted intrusion against a North American Web3 and cryptocurrency company with high confidence to BlueNoroff, a financially motivated Lazarus Group subgroup. The attack began with spear-phishing that impersonated a Fintech legal figure and used a manipulated Calendly invite containing a typo-squatted Zoom link. The fake meeting page exfiltrated live camera footage for reuse in later lures and launched a ClickFix-style clipboard injection that led to credential extraction from the victim’s device, browsers, and cryptocurrency wallet extensions. The Windows-focused chain included a PowerShell-based C2 implant, an AES-encrypted browser injection payload, and Telegram Bot API screenshot exfiltration. Infrastructure analysis found more than 80 typo-squatted Zoom and Teams domains and over 100 additional targets, mostly in cryptocurrency, blockchain finance, investment, executive, and founder roles.