North Korean actor UNC1069 is targeting the crypto sector with AI-enabled social engineering, deepfakes, and 7 new malware families.
“Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives,” the report said.
North Korea's crypto theft campaignThe findings highlight a broader shift in how state-linked cybercriminals are operating. Rather than relying on mass phishing campaigns, CryptoCore and similar groups are focusing on highly tailored attacks that exploit trust in routine digital interactions, such as calendar invites and video calls. In this way, North Korea is achieving larger thefts through fewer, more targeted incidents.
According to Mandiant, the attack began when the victim was contacted on Telegram by what appeared to be a known cryptocurrency executive whose account had already been compromised. After building rapport, the attacker sent a Calendly link for a 30-minute meeting that directed the victim to a fake Zoom call hosted on the group’s own infrastructure. During the call, the victim reported seeing what appeared to be a deepfake video of a well-known crypto CEO.
Once the meeting began, the attackers claimed there were audio problems and instructed the victim to run “troubleshooting” commands, a ClickFix technique that ultimately triggered the malware infection. Forensic analysis later identified seven distinct malware families on the victim’s system, deployed in an apparent attempt to harvest credentials, browser data and session tokens for financial theft and future impersonation.
Deepfake impersonation“The sender is familiar. The meeting format is routine. There is no malware attachment or obvious exploit. Trust is leveraged before any technical defence has a chance to intervene.”
Edwards said deepfake video is typically introduced at escalation points, such as live calls, where seeing a familiar face can override doubts created by unexpected requests or technical issues. “Seeing what appears to be a real person on camera is often enough to override doubt created by an unexpected request or technical issue. The goal is not prolonged interaction, but just enough realism to move the victim to the next step,” he said.
He added that AI is now being used to support impersonation outside of live calls. “It is used to draft messages, correct tone of voice, and mirror the way someone normally communicates with colleagues or friends. That makes routine messages harder to question and reduces the chance that a recipient pauses long enough to verify the interaction,” he explained.
Edwards warned the risk will increase as AI agents are introduced into everyday communication and decision-making. “Agents can send messages, schedule calls, and act on behalf of users at machine speed. If those systems are abused or compromised, deepfake audio or video can be deployed automatically, turning impersonation from a manual effort into a scalable process,” he said.
It's "unrealistic" to expect most users to know how to spot a deepfake, Edwards said, adding that, "The answer is not asking users to pay closer attention, but building systems that protect them by default. That means improving how authenticity is signalled and verified, so users can quickly understand whether content is real, synthetic, or unverified without relying on instinct, familiarity, or manual investigation.”
