North Korea-linked threat actors are escalating social engineering campaigns targeting cryptocurrency and fintech companies, deploying new malware designed to harvest sensitive data and steal digital assets.
In a recent campaign, a threat cluster tracked as UNC1069 deployed seven malware families aimed at capturing and exfiltrating victim data, according to a Tuesday report by Mandiant, a US cybersecurity firm Mandiant which operates under Google Cloud.
The campaign relied on social engineering schemes involving compromised Telegram accounts and fake Zoom meetings with deepfake videos generated through artificial intelligence tools.
“This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH,” the report states.
Threat actor UNC1069, attack chain. Source: Mandiant/Google Cloud
Related: CZ sounds alarm as ‘SEAL’ team uncovers 60 fake IT workers linked to North Korea
Mandiant said the activity represents an expansion of the group’s operations, primarily targeting crypto firms, software developers and venture capital companies.
The malware included two newly discovered, sophisticated data-mining viruses, named CHROMEPUSH and DEEPBREATH, which are designed to bypass key operating system components and gain access to personal data.
The threat actor with “suspected” North Korean ties has been tracked by Mandiant since 2018, but AI advancements helped the malicious actor scale up his efforts and include “AI-enabled lures in active operations” for the first time in November 2025, according to a report at the time from the Google Threat Intelligence Group.
Cointelegraph contacted Mandiant for additional details regarding the attribution, but had not received a response by publication.
Related: Balancer hack shows signs of months-long planning by skilled attacker
Attackers are stealing crypto founder accounts to launch ClickFix attacks
In one intrusion outlined by Mandiant, attackers used a compromised Telegram account belonging to a crypto founder to initiate contact. The victim was invited to a Zoom meeting featuring a fabricated video feed in which the attacker claimed to be experiencing audio problems.
The attacker then directed the user to run troubleshooting commands in their system to fix the purported audio issue in a scam known as a ClickFix attack.
The provided troubleshooting commands had embedded a hidden single command that initiated the infection chain, according to Mandiant.
UNC1069 victimology map. Source: Mandiant/Google Cloud
North Korea-linked illicit actors have been a persistent threat to both crypto investors and Web3-native companies.
In June 2025, four North Korean operatives infiltrated multiple crypto firms as freelance developers, stealing a cumulative $900,000 from these startups, Cointelegraph reported.
Earlier that year, the Lazarus Group was linked to the $1.4 billion hack of Bybit, one of the largest crypto thefts on record.
Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why
Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently. Read our Editorial Policy https://cointelegraph.com/editorial-policy
