North Korea state hackers turn to deepfake Zoom calls to hack crypto firms

North Korean state hackers are targeting crypto firms with several unique pieces of malware deployed alongside multiple scams, including fake Zoom meetings. 

The North Korea-linked threat actor known as UNC1069 has been observed targeting the crypto sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft.

UNC1069 was assessed to be active from April 2018. It has a history of running social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies. 

Fake Zoom call deploys malware attack on crypto firm

In its latest report, Google Mandiant researchers detailed their investigation into an intrusion targeting a FinTech company in the crypto industry. According to investigators, the intrusion began with a compromised Telegram account belonging to a crypto industry executive. 

The attackers used the hijacked profile to contact the victim. They gradually built trust before sending a Calendly invitation for a video meeting. The meeting link directed the target to a fake Zoom domain hosted on infrastructure under the threat actors’ control.

During the call, the victim reported seeing what appeared to be a deepfake video of a CEO from another crypto company.

“While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the reported ruse is similar to a previously publicly reported incident with similar characteristics, where deepfakes were also allegedly used,” the report stated.

The attackers created the impression of audio problems in the meeting to justify the next step. They instructed the victim to run troubleshooting commands on their device. Those commands, tailored for both macOS and Windows systems, secretly initiated the infection chain. As a result, several malware components were activated.

Mandiant identified seven distinct types of malware used during the attack. The tools were designed to access keychain and steal passwords, retrieve browser cookies and login information, access Telegram session information, and obtain other private files.

Investigators assessed that the objective was twofold: To enable potential crypto theft and harvest data that could support future social engineering attacks. The investigation revealed an unusually large volume of tooling dropped onto a single host. 

AI-linked scam clusters show higher operational efficiency

The incident is part of a broader pattern. North Korean-linked actors siphoned more than $300 million by posing as trusted industry figures during fraudulent Zoom and Microsoft Teams meetings.

The scale of activity throughout the year was even more striking. As reported by Cryptopolitan, North Korean threat groups were responsible for $2.02 billion in stolen digital assets in 2025, a 51% increase from the previous year.

Chainalysis also revealed that scam clusters tied to AI service providers show higher operational efficiency than those without such links. According to the firm, this trend suggests a future in which AI becomes a standard component of most scam operations.

In a report published last November, the Google Threat Intelligence Group (GTIG) noted the threat actor’s use of generative artificial intelligence (AI) tools, such as Gemini. They use them to produce lure materials and other crypto-related messaging as part of their efforts to support their social engineering campaigns.

The group has also been observed attempting to misuse Gemini to develop code to steal crypto assets. They also leverage deepfake images and video lures mimicking individuals in the crypto industry in their campaigns to distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK).