How Are Attackers Targeting Crypto Firms?
Threat actors linked to North Korea have escalated social engineering attacks against cryptocurrency and fintech companies, deploying new malware designed to harvest sensitive data and access digital assets, according to a Tuesday report from Mandiant, the cybersecurity unit operating under Google Cloud.
The campaign, attributed to a cluster tracked as UNC1069, relied on compromised Telegram accounts and staged Zoom meetings featuring deepfake video feeds generated with artificial intelligence tools. The attackers used these interactions to trick victims into executing malicious commands on their own systems.
“This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH,” the report states.
Mandiant said the activity reflects a broader expansion of the group’s operations, which have primarily focused on crypto companies, software developers and venture capital firms.
Investor Takeaway
What Makes This Campaign Different?
The malware toolkit included two newly identified data-mining strains, CHROMEPUSH and DEEPBREATH. According to Mandiant, these tools are designed to bypass key operating system components and extract personal and system-level data.
UNC1069 has been tracked since 2018, but researchers noted that advances in AI have enabled the group to scale its tactics. In a separate report published in November 2025, the Google Threat Intelligence Group said the actor introduced “AI-enabled lures in active operations” for the first time.
The use of deepfake video calls represents a tactical refinement. Rather than relying solely on phishing emails or malicious links, attackers are embedding themselves into real-time conversations, increasing credibility and reducing suspicion during the initial stages of compromise.
What Is a ClickFix Attack?
In one case described by Mandiant, attackers gained access to a crypto founder’s Telegram account and used it to contact another target. The victim was invited to a Zoom meeting featuring a fabricated video feed, where the attacker claimed to be experiencing audio issues.
To resolve the supposed problem, the attacker instructed the victim to run troubleshooting commands. Hidden within those instructions was a single embedded command that initiated the infection chain, a tactic known as a ClickFix attack.
Because the command is executed directly by the user, traditional warning signs can be bypassed. The infection then deploys additional malware components designed to extract credentials, wallet data, and other sensitive information.
Investor Takeaway
Why Does North Korea Remain a Persistent Threat to Crypto?
Actors linked to North Korea have long targeted the crypto sector as a source of funding. Beyond social engineering, state-linked groups have been associated with infiltration schemes and large-scale exchange hacks.
In June 2025, four North Korean operatives reportedly entered multiple crypto startups as freelance developers and stole a combined $900,000. Earlier in the year, the Lazarus Group was connected to the $1.4 billion breach of Bybit, one of the largest crypto thefts recorded.
The latest campaign shows a blend of long-standing tactics with newer AI tools. As digital asset firms continue to operate globally with distributed teams and rapid onboarding processes, adversaries are adapting their methods to exploit trust-based communication channels.
Mandiant did not provide additional attribution details before publication. However, the combination of malware development, social engineering, and AI-driven impersonation suggests a coordinated effort that extends beyond opportunistic fraud.
