North Korean hackers are now targeting crypto firms with several malware deployed alongside multiple scams, including fake Zoom meetings.

The North Korean threat actor known as UNC1069 has been observed targeting the crypto sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft. UNC1069 was assessed to be active from April 2018. It has a history of running social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies.

North Korean hackers target firms with deepfake Zoom calls

In its latest report, Google Mandiant researchers detailed their investigation into an intrusion targeting a FinTech company in the crypto industry. According to investigators, the intrusion began with a compromised Telegram account belonging to a crypto industry executive. The attackers used the hijacked profile to contact the victim.

They gradually built trust before sending a Calendly invitation for a video meeting. The meeting link directed the target to a fake Zoom domain hosted on infrastructure under the threat actors’ control. During the call, the victim reported seeing what appeared to be a deepfake video of a CEO from another crypto company.

“While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the reported ruse is similar to a previously publicly reported incident with similar characteristics, where deepfakes were also allegedly used,” the report stated.

AI-link scams are on the rise

The attackers created the impression of audio problems in the meeting to justify the next step. They instructed the victim to run troubleshooting commands on their device. Those commands, tailored for both macOS and Windows systems, secretly initiated the infection chain. As a result, several malware components were activated. Mandiant identified seven distinct types of malware used during the attack.

The tools were designed to access keychain and steal passwords, retrieve browser cookies and login information, access Telegram session information, and obtain other private files. Investigators assessed that the objective was twofold: To enable potential crypto theft and harvest data that could support future social engineering attacks. The investigation revealed an unusually large volume of tooling dropped onto a single host.

The incident is part of a broader pattern. North Korean-linked actors siphoned more than $300 million by posing as trusted industry figures during fraudulent Zoom and Microsoft Teams meetings. The scale of activity throughout the year was even more striking. As reported by Cryptopolitan, North Korean threat groups were responsible for $2.02 billion in stolen digital assets in 2025, a 51% increase from the previous year.

The post North Korean hackers deploy deepfake calls to hack crypto firms first appeared on Coinfea.