A North Korea–nexus threat actor is enhancing its social engineering playbook. The group is integrating AI-enabled lures into crypto-focused hacks, according to a new report from Google’s Mandiant team.
The operation reflects a continued evolution in state-linked cyber activity targeting the digital asset sector, which saw a notable increase in 2025.
Fake Zoom Call Triggers Malware Attack on Crypto Firm
In its latest report, Mandiant detailed its investigation into an intrusion targeting a FinTech company in the cryptocurrency sector. The attack was attributed to UNC1069. It is a financially motivated threat group active since at least 2018, with links to North Korea.
“Mandiant has observed this threat actor evolve its tactics, techniques, and procedures (TTPs), tooling, and targeting. Since at least 2023, the group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry, such as centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds,” the report read.
According to investigators, the intrusion began with a compromised Telegram account belonging to a crypto industry executive. The attackers used the hijacked profile to contact the victim. They gradually built trust before sending a Calendly invitation for a video meeting.
The meeting link directed the target to a fake Zoom domain hosted on infrastructure controlled by the threat actors. During the call, the victim reported seeing what appeared to be a deepfake video of a CEO from another cryptocurrency company.
“While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the reported ruse is similar to a previously publicly reported incident with similar characteristics, where deepfakes were also allegedly used,” the report added.
The attackers created the impression of audio problems in the meeting to justify the next step. They instructed the victim to run troubleshooting commands on their device.
Those commands, tailored for both macOS and Windows systems, secretly initiated the infection chain. This led to the deployment of multiple malware components.
Crypto Attack Flow From Social Engineering to Multi-Stage Malware Deployment. Source: Google
Mandiant identified seven distinct malware families deployed during the intrusion. The tools were designed to steal Keychain credentials, extract browser cookies and login data, access Telegram session information, and collect other sensitive files.
Investigators assessed that the objective was twofold: to enable potential cryptocurrency theft and harvest data that could support future social engineering attacks.
The investigation revealed an unusually large volume of tooling dropped onto a single host. This suggested a highly targeted effort to harvest as much data as possible from the compromised individual.
The incident is part of a broader pattern rather than a standalone case. In December 2025, BeInCrypto reported that North Korean-linked actors siphoned more than $300 million by posing as trusted industry figures during fraudulent Zoom and Microsoft Teams meetings.
The scale of activity throughout the year was even more striking. In total, North Korean threat groups were responsible for $2.02 billion in stolen digital assets in 2025, a 51% increase from the previous year.
Chainalysis also revealed that scam clusters tied on-chain to AI service providers show significantly higher operational efficiency than those without such links. According to the firm, this trend suggests a future in which AI becomes a standard component of most scam operations.
With AI tools growing more accessible and advanced, creating convincing deepfakes is easier than ever. The coming time will test whether the crypto sector can adapt its security fast enough to confront these advanced threats.
The post How North Korean Hackers Turn Deepfake Zoom Calls Into Crypto Heists appeared first on BeInCrypto.