North Korean Hackers Deploy AI Deepfakes in Sophisticated Cryptocurrency Heist

North Korean threat actor UNC1069 executed a complex attack against cryptocurrency targets using AI-generated deepfakes, compromised social media accounts, and seven distinct malware families. The operation demonstrates how cybercriminals now weaponize artificial intelligence for financial theft.

The Attack Unfolds

UNC1069 initiated contact through a compromised Telegram account belonging to a cryptocurrency executive. After building rapport, attackers sent a Calendly meeting link that redirected victims to a fake Zoom meeting hosted on malicious infrastructure.

During the video call, victims encountered what appeared to be a deepfake video of another cryptocurrency CEO. The attackers used this AI-generated content to create a convincing scenario where audio problems required “troubleshooting” commands.

The fake technical support led to a ClickFix attack—a social engineering technique where victims run malicious commands disguised as system fixes. These commands initiated a complex infection chain deploying multiple data harvesting tools.

Seven-Stage Malware Arsenal

The attack deployed an unprecedented seven malware families on a single target:

WAVESHAPER served as the initial backdoor, downloading additional components and collecting system information including hardware details, running processes, and recently installed software.

HYPERCALL acted as a sophisticated downloader written in Go, using RC4 encryption and reflective loading to deploy payloads directly into memory without touching disk storage.

HIDDENCALL provided hands-on keyboard access, enabling attackers to execute commands, transfer files, and maintain persistent control over compromised systems.

DEEPBREATH bypassed macOS security by manipulating the Transparency, Consent, and Control database. This Swift-based tool gained broad file system access to steal credentials from Keychain, browser data from Chrome and Edge, and user data from Telegram and Apple Notes.

SUGARLOADER established persistence through a launch daemon that executed during system startup, masquerading as a legitimate Apple system updater.

CHROMEPUSH installed malicious browser extensions in Chrome and Brave, capturing keystrokes, login credentials, and cookies while appearing as a Google Docs offline editing tool.

SILENCELIFT maintained a minimal footprint while beaconing system status and lock screen information to command-and-control servers.

Technical Sophistication

The malware demonstrated advanced evasion techniques. HYPERCALL used reflective loading to execute payloads in memory, avoiding detection by traditional file-based security tools. When Apple’s Rosetta translation layer processed the x86_64 code, it created cache files that Mandiant analysts used to reconstruct the attack chain.

DEEPBREATH exploited macOS Finder’s Full Disk Access permissions to modify security databases directly. The malware staged TCC database modifications in temporary locations, injected permissions, then restored the modified database—effectively granting itself unrestricted file access.

AI Integration Expands

This attack represents UNC1069’s evolution from using AI for basic productivity to deploying AI-generated content in active operations. Previous reports documented the group using tools like Gemini for code development and operational research.

The suspected use of deepfake technology marks a concerning escalation. While Mandiant couldn’t forensically verify the AI-generated video, the reported technique aligns with similar incidents where deepfakes enabled convincing impersonation of trusted figures.

Defending Against AI-Enhanced Attacks

Organizations should implement several defensive measures:

Verify meeting authenticity through multiple communication channels before joining video calls, especially when technical issues arise requiring system commands.

Monitor for persistence mechanisms like unexpected launch daemons in /Library/LaunchDaemons/ with Apple-like naming conventions.

Watch for TCC database modifications and unusual file access patterns, particularly tools requesting broad permissions without clear justification.

Deploy behavioral detection that identifies reflective loading, memory-only execution, and unusual network communication patterns.

Train employees to recognize social engineering tactics, including requests to run terminal commands for “troubleshooting” purposes.

The Broader Threat

UNC1069’s campaign highlights how nation-state actors adapt cutting-edge technology for financial gain. The group’s focus on cryptocurrency targets reflects the sector’s high-value digital assets and often limited security controls.

The deployment of seven malware families against a single target indicates extraordinary determination to harvest credentials and session tokens for financial theft. This level of investment suggests significant potential returns from successful cryptocurrency heists.

Security teams must prepare for increasingly sophisticated attacks that blend AI-generated content, advanced malware, and social engineering. The convergence of these techniques creates new attack vectors that traditional defenses may struggle to detect.

Organizations in the cryptocurrency sector should implement enhanced verification procedures for external communications and deploy comprehensive endpoint detection capabilities that can identify memory-based attacks and behavioral anomalies.

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering