North Korea-Linked Hackers Deploy Seven New Malware Families Targeting Crypto Firms

A video of someone you know asking for help triggers trust in ways text never can.
On why AI-generated deepfakes represent a qualitative shift in social engineering attacks against crypto firms.

From the margins of a sanctioned state, a sophisticated cyber operation has turned the tools of artificial intelligence against the architects of digital finance. A threat group linked to North Korea, designated UNC1069, has unveiled seven new malware families targeting cryptocurrency founders, developers, and venture capital firms — deploying AI-generated deepfakes in what appears to be their first operational use of the technology. The campaign, documented by Mandiant, reflects a broader truth: that where wealth migrates into new forms, predation follows with equal ingenuity.

  • Seven newly engineered malware variants — including CHROMEPUSH and DEEPBREATH — have been purpose-built to slip past operating system defenses and drain sensitive data from crypto and fintech targets.
  • For the first time, the group deployed AI-generated deepfake video in live attacks, using fabricated Zoom calls to convince victims they were troubleshooting a technical glitch — while actually executing a full malware infection chain.
  • Attackers compromised a crypto founder's Telegram account to reach victims directly, weaponizing trust itself as the primary attack surface in what security researchers call a ClickFix intrusion.
  • The targeting is not opportunistic — crypto founders, blockchain developers, and Web3 investors are being selected deliberately, suggesting the group has mapped where digital assets concentrate and who holds the keys.
  • North Korean-linked actors have already stolen hundreds of millions in recent operations, including a $1.4 billion Bybit breach, and the integration of AI capabilities signals the threat is accelerating, not plateauing.

A cybersecurity investigation published this week by Mandiant, Google Cloud's security division, has exposed a coordinated campaign by a North Korea-linked threat group deploying seven newly developed malware families against cryptocurrency and fintech firms. The operation, tracked as UNC1069, marks a significant leap in both scale and sophistication from prior North Korean cyber activity.

At the center of the toolkit are three variants — SILENCELIFT, DEEPBREATH, and CHROMEPUSH — with the latter two specifically engineered to bypass operating system security and extract financial and personal data from compromised machines. What sets this campaign apart is the first confirmed operational use of AI-generated deepfake video, a capability the group appears to have activated in November 2025.

In one documented attack, the group hijacked a cryptocurrency founder's Telegram account and used it to invite the victim to a Zoom call. On that call, a deepfake video feed depicted the attacker claiming audio trouble — a pretext that led the victim to run what appeared to be routine troubleshooting commands. Hidden within those commands was the trigger for a full malware deployment, a method known as a ClickFix attack.

Mandiant has monitored UNC1069 since 2018, but notes that recent AI advances have allowed the group to scale dramatically. The ability to fabricate convincing video identities transforms social engineering from a game of textual deception into something far harder to detect or resist.

The campaign's targeting is deliberate: crypto founders, blockchain developers, and venture capital firms backing Web3 projects are all in scope. This mirrors a broader pattern — North Korean-linked actors previously stole roughly $900,000 through developer impersonation schemes, and the Lazarus Group was attributed to the $1.4 billion Bybit breach. The convergence of deepfake technology, bespoke malware, and methodical social engineering suggests the crypto sector now faces a threat that is not only persistent, but evolving faster than many of its defenses.

A threat group with suspected ties to North Korea has begun deploying seven newly discovered malware families in coordinated attacks against cryptocurrency and fintech companies, according to research published this week by Mandiant, the cybersecurity division of Google Cloud. The campaign, tracked under the designation UNC1069, represents a significant escalation in both the sophistication and scale of operations targeting digital asset firms, venture capital investors, and software developers.

The malware toolkit includes three particularly concerning variants: SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The latter two are engineered specifically to circumvent operating system security controls and extract sensitive personal and financial data from compromised machines. What distinguishes this campaign from previous North Korean cyber operations is the integration of artificial intelligence tools to generate convincing deepfake video content—a capability the group appears to have deployed operationally for the first time in November 2025.

The attack methodology relies on social engineering rather than technical exploits alone. In one documented intrusion, attackers gained access to a Telegram account belonging to a cryptocurrency founder and used it to contact the victim directly. The attacker then invited the target to join a Zoom call, during which a fabricated video feed showed the attacker claiming to experience audio difficulties. This pretext led the victim to execute troubleshooting commands on their system—a technique known as a ClickFix attack. Embedded within those seemingly innocent commands was a hidden instruction that initiated the full malware infection chain.

Mandiant has tracked the threat actor since 2018, but the organization notes that recent advances in AI technology have enabled the group to scale its operations substantially. The use of deepfake video lures represents a qualitative shift in the sophistication of social engineering campaigns. Rather than relying solely on text-based deception or crude impersonation, attackers can now present convincing visual evidence of legitimacy, making it significantly harder for targets to distinguish authentic communications from malicious ones.

The targeting pattern reveals a deliberate focus on high-value entities within the cryptocurrency ecosystem. Crypto founders, blockchain developers, and venture capital firms investing in Web3 projects all appear in the threat group's crosshairs. This concentration suggests the attackers understand where digital assets are concentrated and who controls access to them. The campaign is not random; it is methodical and tailored to the specific vulnerabilities of individuals and organizations within the crypto industry.

This is not the first time North Korean-linked actors have targeted cryptocurrency firms with notable success. In June 2025, four operatives posing as freelance developers infiltrated multiple crypto startups and made off with approximately $900,000 in combined theft. More dramatically, the Lazarus Group—another North Korean-attributed threat actor—was linked to the $1.4 billion breach of Bybit, one of the largest cryptocurrency thefts ever recorded. The pattern suggests that North Korea views the crypto sector as a persistent and lucrative target, and that the sophistication of attacks is only increasing.

Mandiant declined to provide additional details regarding the attribution of UNC1069 to North Korea at the time of publication, leaving some technical questions unanswered. What is clear, however, is that the convergence of AI-generated deepfakes, social engineering, and purpose-built malware represents a new threat landscape for cryptocurrency companies and the individuals who lead them. The attackers have demonstrated they can impersonate trusted contacts, create convincing false scenarios, and deliver malware that bypasses standard security controls—all in service of stealing digital assets and harvesting sensitive data.

This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH
— Mandiant report
The Hearth Conversation Another angle on the story
Inventor

Why would North Korea focus so heavily on cryptocurrency companies specifically? There are plenty of other targets with more traditional wealth.

Model

Crypto is borderless and pseudonymous by design. A founder can hold billions in a digital wallet. There's no bank to call, no government to petition for recovery. Once the assets move, they're gone. For a sanctioned nation, that's ideal.

Inventor

The deepfake video element feels like a turning point. What makes that different from just pretending to be someone over text?

Model

Text you can dismiss. A video of someone you know, speaking to you in real time, asking for help—that triggers a different part of your brain. You see their face. You hear their voice. The cognitive load of disbelieving it is much higher. AI makes that scalable now.

Inventor

So the ClickFix attack is the actual delivery mechanism. The deepfake is just the social engineering wrapper.

Model

Exactly. The deepfake gets you to trust the person. The ClickFix gets you to run the command. The malware does the rest. Each layer serves a purpose.

Inventor

How do you even defend against this if the attack starts with a compromised account of someone you actually know?

Model

That's the hard part. You can't trust the channel anymore. You have to verify through a completely separate channel—call them on a different number, meet in person. But that friction is exactly what the attacker is counting on. Most people won't do it.

Inventor

And Mandiant won't say definitively it's North Korea?

Model

They're being cautious. Attribution is hard. But the pattern—the targeting, the sophistication, the previous operations—all point in one direction. Sometimes what you don't say is as telling as what you do.

Contact Us FAQ