North Korean Cyber Group UNC1069 Exploits AI to Target Cryptocurrency Firms
The North Korean cyber threat group UNC1069 has intensified its attacks on the cryptocurrency sector, employing advanced social engineering tactics and artificial intelligence (AI) to infiltrate Windows and macOS systems, aiming to exfiltrate sensitive data and facilitate financial theft.
According to Google Mandiant researchers Ross Inman and Adrian Hernandez, the group’s recent intrusion methods involve a multifaceted approach:
– Compromised Communication Channels: UNC1069 hijacks legitimate Telegram accounts to initiate contact with targets, posing as reputable venture capitalists or investors.
– Deceptive Virtual Meetings: They orchestrate fake Zoom meetings, directing victims to counterfeit websites that mimic the Zoom interface.
– AI-Generated Deceptions: The group utilizes AI-generated videos and deepfake technology to create convincing personas, enhancing the credibility of their schemes.
Active since at least April 2018, UNC1069 has a history of conducting social engineering campaigns for financial gain. They have been known to send fake meeting invitations and impersonate investors from reputable companies on Telegram. The cybersecurity community also tracks this group under the names CryptoCore and MASAN.
In November 2025, Google’s Threat Intelligence Group (GTIG) highlighted UNC1069’s use of generative AI tools like Gemini to craft persuasive lure materials related to cryptocurrency. These AI tools have been exploited to develop code aimed at stealing cryptocurrency and to create deepfake images and videos that impersonate individuals in the cryptocurrency industry. These deceptive materials are used to distribute a backdoor known as BIGMACHO, disguised as a Zoom software development kit (SDK).
Since at least 2023, UNC1069 has shifted its focus from traditional finance targets to the Web3 industry. Their targets now include centralized exchanges (CEX), software developers at financial institutions, high-tech companies, and individuals at venture capital funds.
Intrusion Tactics and Malware Deployment
In their latest campaign, UNC1069 has deployed up to seven unique malware families, introducing new variants such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH.
The attack sequence typically unfolds as follows:
1. Initial Contact: The threat actor reaches out to the victim via Telegram, impersonating venture capitalists or using compromised accounts of legitimate entrepreneurs and startup founders.
2. Meeting Coordination: Using scheduling tools like Calendly, they arrange a 30-minute meeting with the target.
3. Phishing Links: The victim receives a meeting link that redirects to a fake Zoom website (e.g., zoom.uswe05[.]us). In some instances, these links are shared directly through Telegram messages, often concealed using Telegram’s hyperlink feature to mask the phishing URLs.
4. Fake Video Call Interface: Upon clicking the link, the victim encounters a counterfeit Zoom interface, prompting them to enable their camera and enter their name. The interface closely resembles a genuine Zoom meeting.
5. Deepfake Videos: The videos displayed are suspected to be deepfakes or recordings of previous victims, creating the illusion of a live call. Kaspersky has identified similar campaigns under the name GhostCall, noting that victims’ webcam footage is unknowingly recorded and reused to deceive others.
6. Error Message and Malware Installation: The victim is shown a bogus error message about an audio issue and is prompted to download and run a troubleshooting command. On macOS systems, this leads to the execution of an AppleScript that installs a malicious Mach-O binary.
Malware Components and Capabilities
The deployed malware components include:
– WAVESHAPER: A C++ executable that gathers system information and delivers a Go-based downloader named HYPERCALL.
– HYPERCALL: Serves additional payloads, including:
– HIDDENCALL: A Golang backdoor providing remote access to the compromised system and deploying a Swift-based data miner called DEEPBREATH.
– SUGARLOADER: A C++ downloader used to deploy CHROMEPUSH.
– SILENCELIFT: A minimalist C/C++ backdoor that sends system information to a command-and-control (C2) server.
– DEEPBREATH: Manipulates macOS’s Transparency, Consent, and Control (TCC) database to gain file system access, enabling it to steal iCloud Keychain credentials and data from browsers like Google Chrome, Brave, and Microsoft Edge, as well as from Telegram and the Apple Notes application.
– CHROMEPUSH: A C++ data stealer deployed as a browser extension for Google Chrome and Brave, masquerading as a tool for editing Google Docs offline. It can record keystrokes, observe username and password inputs, and extract browser cookies.
The deployment of multiple malware families on a single host underscores UNC1069’s determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft. While the group typically targets cryptocurrency startups, software developers, and venture capital firms, the introduction of new malware families alongside known tools like SUGARLOADER signifies a significant expansion in their capabilities.
Broader Context and Implications
UNC1069’s activities are part of a broader pattern of North Korean cyber operations targeting the cryptocurrency sector. Other North Korean-linked groups have employed similar tactics:
– Sapphire Sleet: Estimated to have stolen over $10 million in cryptocurrency through AI-driven scams and malware on LinkedIn. They create fake profiles, pose as recruiters or job seekers, and use AI tools to enhance their deceptive materials.
– Kimsuky: Known for targeting diplomatic missions and using platforms like GitHub for command-and-control channels. They have also exploited AI to create deepfake military ID cards in spear-phishing campaigns.
– Moonstone Sleet: Targets developers via malicious Visual Studio Code projects, distributing malware through counterfeit npm packages and employing sophisticated phishing tactics.
These operations highlight the increasing sophistication of North Korean cyber actors, who are leveraging AI and deepfake technologies to enhance the effectiveness of their social engineering campaigns. The use of AI-generated content allows them to create more convincing lures, increasing the likelihood of successful intrusions.
Recommendations for Mitigation
Organizations, especially those in the cryptocurrency and financial sectors, should implement the following measures to mitigate the risk of such attacks:
– Employee Training: Educate staff about the risks of social engineering and the tactics used by threat actors, including the use of AI-generated content and deepfakes.
– Verification Protocols: Establish strict protocols for verifying the identities of individuals and organizations before engaging in virtual meetings or sharing sensitive information.
– Security Tools: Deploy advanced security solutions capable of detecting and blocking phishing attempts, malware, and unauthorized access.
– Regular Updates: Keep all systems and software up to date to protect against known vulnerabilities that could be exploited by attackers.
– Incident Response Plan: Develop and regularly update an incident response plan to quickly address and mitigate the impact of security breaches.
By staying vigilant and implementing robust security measures, organizations can better protect themselves against the evolving threats posed by groups like UNC1069.
