February 11 News, Google’s security team Mandiant disclosed that a North Korea-linked hacker group is using deepfake videos and fake Zoom calls to carry out highly targeted social engineering attacks against the cryptocurrency industry, and is deploying multiple malicious programs to steal assets and data.
The investigation shows that this operation was launched by the cyber threat group UNC1069. The group has been active since at least 2018 and shifted its focus from traditional finance to the Web3 space after 2023, targeting executives of crypto financial technology companies, software developers, and venture capital professionals. The incident began when an industry executive’s Telegram account was hijacked. The attacker impersonated the individual to contact targets, build trust, and then send fake Calendly video meeting invitations.
After victims clicked the link, they were directed to a fake Zoom domain controlled by the attacker. During the call, the attacker played a deepfake video of what appeared to be the CEO of another crypto company, and claimed there was an “audio malfunction,” tricking the target into running a supposed troubleshooting command on their computer. These commands triggered an infection chain on macOS and Windows systems, silently deploying up to seven malicious software programs.
Mandiant confirmed that these tools can steal Keychain credentials, browser cookies, login information, Telegram sessions, and local sensitive files. Researchers believe that the attackers aim both to directly acquire crypto assets and to gather intelligence for future scams. Deploying so many tools on a single device indicates a carefully planned targeted infiltration.
This incident is not isolated. By 2025, similar AI conference scams had caused losses exceeding $300 million; throughout the year, cyber operations related to North Korea stole approximately $2.02 billion in digital assets, a 51% increase. Chainalysis also pointed out that scam groups utilizing on-chain AI services are significantly more efficient than traditional methods.
As the barrier to deepfake technology continues to lower, the crypto industry faces unprecedented security challenges. Experts warn that online meetings involving funds and system permissions must strengthen multi-factor authentication and device isolation; otherwise, they could become the next attack vector.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Litecoin Reorg Undoes MWEB Privacy Layer Exploit
Litecoin underwent a deep chain reorganization on Saturday after attackers exploited a zero-day vulnerability in its MimbleWimble Extension Block (MWEB) privacy layer, according to the Litecoin Foundation. The incident resulted in a three-hour reorg that erased invalid transactions from the
CryptoFrontier4h ago
North Korean IT Workers Laptop Farm Scam: US Co-Conspirator Sentenced to 7–9 Years, Netting $2.8 Billion Over Two Years
Fortune reported that North Korea used laptop farms inside the United States, generating about $2.8 billion in revenue over two years to support nuclear weapons; annual tribute is $250–600 million. The U.S. citizen suspects Kejia Wang and Zhenxing Wang were each sentenced to 7.5 years and 9 years, respectively, for involvement exceeding 100 companies and 80 cases of identity theft. North Korea operated in the U.S. using U.S. identities and fixed devices, with funds mostly being converted via cryptocurrencies. Experts warn that an accomplice network still exists inside the country, and companies must strengthen identity verification, address tracking, and time zone/IP analysis.
ChainNewsAbmedia8h ago
Hong Kong Police Warn of Surge in Crypto Scams; Two Women Lose $1.24M in Recent Weeks
Gate News message, April 25 — Two Hong Kong women lost a combined HK$9.7 million (US$1.24 million) to crypto scammers over recent weeks, prompting local police to issue a public warning. Hong Kong police reported more than 80 fraud cases in a single week, with total losses exceeding HK$80 million (U
GateNews8h ago
Aave Proposes 25,000 ETH for Kelp DAO Exploit Relief Fund
Aave service providers put forth a governance proposal on Friday that would contribute 25,000 ETH worth nearly $58 million from the protocol's DAO to DeFi United, a coordinated relief effort to restore backing for rsETH following the Kelp DAO exploit. The proposed contribution aims to close the rema
CryptoFrontier8h ago
Android Malware Families Target 800+ Banking, Crypto Apps With Near-Zero Detection Rates: Zimperium
Gate News message, April 25 — Cybersecurity firm Zimperium has identified four active malware families—RecruitRat, SaferRat, Astrinox and Massiv—targeting over 800 applications across banking, cryptocurrency and social media sectors. The campaigns employ advanced anti-analysis techniques and
GateNews11h ago
TRADOOR Token Crashes 90% in 30 Minutes Amid Suspected Price Manipulation and Wash Trading
Gate News message, April 25 — TRADOOR token experienced a sharp 90% price crash over 30 minutes at 2:00 AM today, according to on-chain analyst Specter. The token had surged as much as 900% since March 2026 before the sudden collapse, raising suspicions of price manipulation and coordinated
GateNews12h ago
