2 hours ago
3
Google’s (NASDAQ: GOOGL) cybersecurity firm, Mandiant, has warned that North Korean “threat actors” are evolving their techniques targeting digital currency and decentralized finance (DeFi), including the use of artificial intelligence–generated deepfakes to deceive victims in fake Zoom videos.
Mandiant, a subsidiary of Google, released a threat intelligence report on Monday, saying it recently investigated an attack attributed to the North Korea-linked hacking group “UNC1069.”
The attackers deployed a “social engineering scheme” involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector—a technique that exploits human error through fake prompts, leading users to unknowingly run malicious commands—and, reportedly, AI-generated video.
The victim, a fintech entity, was contacted via Telegram through the account of an executive of a digital currency company that UNC1069 had compromised. The hackers then built rapport with the victim before sending them a Calendly link to schedule a 30-minute meeting. The meeting link directed the victim to a spoofed Zoom meeting hosted on the hacker’s infrastructure.
This scheme is not entirely unusual. However, the concerning innovation was that the victim reportedly told Mandiant that, during the call, they were presented with a video of a CEO from another digital currency company that appeared to be a deepfake.
While Mandiant was unable to recover forensic evidence to independently verify the use of AI models, “in this specific instance,” it said the ruse was similar to a previously reported incident with similar characteristics, where deepfakes were also allegedly used.
“North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals,” Google’s blog post read. “The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft.”
It added that “while UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families… marks a significant expansion in their capabilities.”
According to Mandiant, the introduction of new tactics, such as the use of AI-deepfakes, builds upon a shift first documented in Google’s November 2025 publication ‘AI Threat Tracker: Advances in Threat Actor Usage of AI Tools‘, in which the Google Threat Intelligence Group (GTIG) identified UNC1069’s transition from using AI for simple productivity gains to deploying novel AI-enabled lures in active operations.
North Korea’s active digital currency hackers
Over the past few years, the digital asset sector has become a popular money-making avenue for the heavily sanctioned. North Korea, the third most sanctioned country in the world, is no exception, and its state-backed digital currency hacking operations have been among the most prolific and successful.
In 2023, a U.S.-based cybersecurity firm, Recorded Future, released a report on North Korea‘s efforts over the previous six years that suggested it had generated over $3 billion.
This trend has arguably accelerated. According to blockchain analytics firm Chainalysis, North Korean hackers stole $1.34 billion in digital assets across 47 incidents in 2024, accounting for 61% of the total amount stolen that year.
In December of that year, the U.S. Federal Bureau of Investigation (FBI) announced that North Korean cyber actors were behind the $308 million digital asset theft from a Japan-based digital asset firm, DMM Bitcoin.
This activity led, the following month, to South Korea imposing sanctions on 15 members of North Korean IT organizations and one related company involved in illicit cyber activities, including digital asset heists.
In February 2025, the notorious North Korea-linked hacking group “Lazarus” recorded a record windfall, hacking digital asset exchange Bybit for over $1.4 billion in Ethereum (ETH), the largest exploit of its kind—crypto or otherwise.
By August, it was revealed that the innovative hacking armies of North Korea had now turned to the international job market as their latest attack vector, using AI to pose as remote IT workers and offering fake IT jobs to gain access to Western companies’ cloud systems.
The growing use of AI tools highlighted by Google marks just the latest evolution of North Korea’s lucrative hacking and sanctions-evasion efforts.
In order for artificial intelligence (AI) to work right within the law and thrive in the face of growing challenges, it needs to integrate an enterprise blockchain system that ensures data input quality and ownership—allowing it to keep data safe while also guaranteeing the immutability of data. Check out CoinGeek’s coverage on this emerging tech to learn more why Enterprise blockchain will be the backbone of AI.
Watch: AI is a double-edged sword
English (US) · 