A financially motivated North Korean threat actor is aiming at cryptocurrency firms with novel deepfake-powered social engineering strategies. According to Mandiant's blog post, Google Cloud's Mandiant this week published research concerning a threat actor it tracks as UNC1069, active since at least 2018. The primary incident described involved a compromised cryptocurrency executive's Telegram account used to contact a secondary victim, with the attacker claiming to be the account's true owner.
After building rapport, the attacker sent a Calendly link to schedule a 30‑minute meeting, which led to a spoofed Zoom meeting hosted on the threat actor's infrastructure; the Zoom call was a deepfake video intended to prompt the victim to run commands that launched an infection chain. The operation leveraged ClickFix social engineering and the use of large language models to develop tooling, including data miners to exfiltrate credentials and other data, ultimately aiming at cryptocurrency theft.
UNC1069 has shifted since 2023 toward Web3 firms and related individuals, employing a mix of legitimate platforms, LLMs, and AI-enabled editing of media to deceive targets.