February 11 News, Google’s security team Mandiant disclosed that a North Korea-linked hacker group is using deepfake videos and fake Zoom calls to carry out highly targeted social engineering attacks against the cryptocurrency industry, and is deploying multiple malicious programs to steal assets and data.
The investigation shows that this operation was launched by the cyber threat group UNC1069. The group has been active since at least 2018 and shifted its focus from traditional finance to the Web3 space after 2023, targeting executives of crypto financial technology companies, software developers, and venture capital professionals. The incident began when an industry executive’s Telegram account was hijacked. The attacker impersonated the individual to contact targets, build trust, and then send fake Calendly video meeting invitations.
After victims clicked the link, they were directed to a fake Zoom domain controlled by the attacker. During the call, the attacker played a deepfake video of what appeared to be the CEO of another crypto company, and claimed there was an “audio malfunction,” tricking the target into running a supposed troubleshooting command on their computer. These commands triggered an infection chain on macOS and Windows systems, silently deploying up to seven malicious software programs.
Mandiant confirmed that these tools can steal Keychain credentials, browser cookies, login information, Telegram sessions, and local sensitive files. Researchers believe that the attackers aim both to directly acquire crypto assets and to gather intelligence for future scams. Deploying so many tools on a single device indicates a carefully planned targeted infiltration.
This incident is not isolated. By 2025, similar AI conference scams had caused losses exceeding $300 million; throughout the year, cyber operations related to North Korea stole approximately $2.02 billion in digital assets, a 51% increase. Chainalysis also pointed out that scam groups utilizing on-chain AI services are significantly more efficient than traditional methods.
As the barrier to deepfake technology continues to lower, the crypto industry faces unprecedented security challenges. Experts warn that online meetings involving funds and system permissions must strengthen multi-factor authentication and device isolation; otherwise, they could become the next attack vector.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
France Passes Custodial Wallet Declaration Law, Tax Authorities Warn of Potential Hacker Attacks
The French National Assembly has passed a rule requiring mandatory reporting of crypto assets held in self-custody wallets above 5,000 euros, applicable to multiple mainstream wallets. The DGFIP opposes this, arguing that enforcement will be difficult and that data centralization will increase user risk. Experts say the law may be hard to implement and urge users to closely monitor subsequent developments.
MarketWhisper8m ago
GoPlus Emergency Alert: High-Risk Vulnerability in the EngageLab SDK, Potential Exposure of Private Keys for 30 Million Crypto Wallets
Blockchain security platform GoPlus issues an alert, warning that the EngageLab SDK has a serious vulnerability that affects more than 50 million Android users, mainly cryptocurrency wallet users. Attackers can steal private keys and login credentials through stealthy cross-app attacks. Developers and users are advised to update immediately to the secure version to prevent losses.
MarketWhisper25m ago
Stabble Urges Users to Pull Liquidity After Alleged North Korean Hacker Link
Stabble, a Solana decentralized exchange, advised users to withdraw liquidity after a former executive was linked to alleged North Korean hacking, causing its total value locked to plummet by 62%. This incident highlighted the importance of personnel trust in decentralized platforms.
CryptoNewsFlash1h ago
Crypto investment scams are rampant! FBI report: Americans were tricked out of $11.4 billion last year, up 22% year over year
An FBI report shows that in 2025, the United States lost $11.4 billion due to cryptocurrency scams, up 22% from the previous year. Many of the scams are controlled by criminal groups in Southeast Asia. Victims lose an average of more than $60k each, and many even lose their life savings.
区块客3h ago
The U.S. Department of the Treasury expands cyber security intelligence, and encrypted companies receive traditional finance–level protection
The U.S. Department of the Treasury expands its Cybersecurity Threat Identification Program, providing free threat intelligence services for blockchain companies to address the cybersecurity challenges facing the digital asset industry. A series of recent attack incidents, especially cases involving North Korean infiltration, have highlighted the risks to the crypto industry, prompting the government to incorporate it into its financial infrastructure protection framework to improve security defenses.
MarketWhisper4h ago
Phantom crypto wallet crashes! During the Airdrop period, prices were messed up, sparking a wave of user claims.
Phantom Wallet malfunctioned during the airdrop period, causing abnormal token prices and account balances to display. Although the assets are safe, users suffered trading losses, triggering compensation demands and a trust crisis. The incident also increased concerns about blockchain security, and some malicious actors may take advantage of the chaos to launch phishing attacks. Although the technical issue has been fixed, improvements are still needed to the user experience and system stability.
CryptoCity8h ago
