How North Korea-Backed UNC1069 Hackers Use AI Deepfakes to Target Crypto Firms

11-Feb-2026 Blockmanity

A New Wave of Cyber Threats Hits the Crypto World

Cryptocurrency companies face a growing danger from state-sponsored hackers. A group linked to is using smart tricks with AI to trick people and steal money. These attacks aim at Windows and Mac computers to grab private data like passwords and wallet info. The goal? Empty crypto wallets and cause big losses.

This is not a simple scam. It mixes fake online chats, phony video calls, and new malware. Crypto firms, startups, and investors must stay alert. In this post, we break down how these attacks work, what tools the hackers use, and how to protect yourself.

Who Are the UNC1069 Hackers?

UNC1069 is a cyber group tied to North Korea. They have been active since 2018. Experts call them CryptoCore or MASAN too. At first, they hit banks and traditional finance with email tricks. But since 2023, they switched to the crypto space.

Why crypto? It’s full of money, hot projects, and people eager for deals. Hackers pose as big investors on Telegram. They target exchanges, developers, tech firms, and venture funds. Their main aim is to steal funds through data theft.

The Step-by-Step Attack: From Telegram to Malware

The attack starts on Telegram. Hackers use fake or stolen accounts of real business people, like startup founders or VCs. They chat up victims, build trust, then suggest a quick 30-minute meeting via Calendly.

The meeting link looks real but leads to a fake site like “zoom.uswe05[.]us”. It hides behind Telegram links. Click it, and you see a Zoom copycat page. It asks to turn on your camera and type your name.

Once “in” the meeting, you see what looks like a live call. But it’s fake! Videos are AI-made deepfakes or recordings from past victims. Hackers secretly record cams from earlier hits and reuse them. This creates a real-feeling call. Other experts call this “GhostCall”.

Then, a fake error pops up: “Audio problem! Run this fix.” It’s a ClickFix trick. Victims run commands that drop malware.

  • On Mac: An AppleScript loads a bad file called WAVESHAPER. This C++ tool checks your system and downloads more bad stuff via HYPERCALL.
  • On Windows: Similar steps lead to data grabs.

New Malware Families in Action

These hackers use up to seven malware types per attack. Many are brand new, showing their growing skills.

DEEPBREATH

This tool messes with Mac’s TCC settings for full file access. It steals:

  • iCloud Keychain logins
  • Data from Chrome, Brave, Edge browsers
  • Telegram chats
  • Apple Notes

CHROMEPUSH

A C++ stealer as a fake Chrome/Brave extension. Pretends to edit Google Docs offline. It:

  • Logs keystrokes
  • Watches login entries
  • Grabs browser cookies and tokens

Other tools like SILENCELIFT, SUGARLOADER, and more pile on. They hunt credentials, session info, and crypto keys for account takeovers.

AI Makes It Scarier: Deepfakes and Code Help

UNC1069 loves AI. They use tools like Gemini to:

  • Make fake crypto messages and lures
  • Create deepfake videos of industry pros
  • Even write code for crypto theft

Deepfakes fool eyes. A video of a “real” investor nodding along feels legit. Plus, they pass malware as Zoom SDKs with backdoors like BIGMACHO.

This shift to Web3 shows hackers adapt fast. Crypto’s speed and riches draw them in.

Why Crypto Firms Are Prime Targets

Crypto has weak spots:

  • Fast deals mean rushed checks
  • Telegram is key for chats, easy to fake
  • Wallets hold millions, no banks to stop theft

One breach can drain funds in minutes. Victims lose not just money but trust and projects.

How to Defend Against These AI-Powered Attacks

Don’t be the next victim. Simple steps work:

  1. Verify Contacts: Check LinkedIn, company sites. Call back on official numbers.
  2. Spot Fake Links: Hover over URLs. No weird domains like zoom.uswe05.us.
  3. Never Run Unknown Commands: Audio issues? Restart or use real Zoom.
  4. Use Security Tools: Antivirus, browser blockers. Enable TCC on Mac.
  5. 2FA Everywhere: Hardware keys for wallets.
  6. Train Teams: Spot social engineering. No cam for strangers.
  7. Monitor Networks: Watch for odd downloads or data grabs.

For devs: Audit browser extensions. Use password managers with alerts.

The Bigger Picture: State Hackers in Crypto

North Korea funds weapons via crypto thefts. Groups like UNC1069 steal billions yearly. As AI gets better, attacks will too. Crypto must level up security.

Regulators push for better rules. Firms adopt zero-trust models. Stay informed – threats evolve daily.

Stay Safe in the Crypto Wild West

shows no mercy. Their AI deepfakes and malware mix is deadly. But knowledge is power. Check meetings, run safe software, and protect data.

Share this if it helps. Follow for more crypto security tips. What’s your biggest worry? Comment below!


Discuss this news on our Telegram Community. Subscribe to us on Google news and do follow us on Twitter @Blockmanity

Did you like the news you just read? Please leave a feedback to help us serve you better

Disclaimer: Blockmanity is a news portal and does not provide any financial advice. Blockmanity's role is to inform the cryptocurrency and blockchain community about what's going on in this space. Please do your own due diligence before making any investment. Blockmanity won't be responsible for any loss of funds.

The post How North Korea-Backed UNC1069 Hackers Use AI Deepfakes to Target Crypto Firms appeared first on Blockmanity.

Also read: Tesla (TSLA) Stock: Automaker Partners with Tencent Cloud for China EV Features
Previous Next
WHAT'S YOUR OPINION?
Related News