**Google Cloud Flags North Korea-Linked Crypto Malware Campaign**

A recent report from Mandiant, a US cybersecurity company that operates under Google Cloud, has shed light on a sophisticated North Korea-linked crypto malware campaign. The suspected North Korean threat actors have been escalating their social engineering schemes targeting cryptocurrency and fintech companies since November 2025.

The campaign, tracked as UNC1069, deployed seven malware families aimed at capturing and exfiltrating victim data. According to the report, the malware included two newly discovered, sophisticated data-mining viruses: CHROMEPUSH and DEEPBREATH. These viruses are designed to bypass key operating system components and gain access to personal data.

The threat actor has been tracked by Mandiant since 2018, but AI advancements helped the malicious actor scale up its operations and include "AI-enabled lures in active operations" for the first time in November 2025. This campaign relied on social engineering schemes involving compromised Telegram accounts and fake Zoom meetings with deepfake videos generated through artificial intelligence tools.

One intrusion outlined by Mandiant involved attackers using a compromised Telegram account belonging to a crypto founder to initiate contact. The victim was invited to a Zoom meeting featuring a fabricated video feed in which the attacker claimed to be experiencing audio problems. The attacker then directed the user to run troubleshooting commands in their system to fix the purported audio issue, known as a ClickFix attack.

The provided troubleshooting commands embedded a hidden single command that initiated the infection chain, according to Mandiant. This campaign represents an expansion of the group's operations, primarily targeting crypto companies, software developers, and venture capital businesses.

North Korea-linked illicit actors have been a persistent threat to both crypto investors and Web3-native companies. In June 2025, four North Korean operatives infiltrated multiple crypto firms as freelance developers, stealing a cumulative $900,000 from these startups, Cointelegraph reported earlier this year. Earlier that year, the Lazarus Group was linked to the $1.4 billion hack of Bybit, one of the largest crypto thefts on record.

Mandiant's report highlights the increasing sophistication and scope of North Korea-linked threat actors in the cryptocurrency space. The use of AI-enabled lures and deepfake videos demonstrates a new level of technical expertise and willingness to adapt to evolving security measures.

Cointelegraph contacted Mandiant for additional details regarding the attribution, but had not received a response by publication.