February 11 News, Google’s security team Mandiant disclosed that a North Korea-linked hacker group is using deepfake videos and fake Zoom calls to carry out highly targeted social engineering attacks against the cryptocurrency industry, and is deploying multiple malicious programs to steal assets and data.
The investigation shows that this operation was launched by the cyber threat group UNC1069. The group has been active since at least 2018 and shifted its focus from traditional finance to the Web3 space after 2023, targeting executives of crypto financial technology companies, software developers, and venture capital professionals. The incident began when an industry executive’s Telegram account was hijacked. The attacker impersonated the individual to contact targets, build trust, and then send fake Calendly video meeting invitations.
After victims clicked the link, they were directed to a fake Zoom domain controlled by the attacker. During the call, the attacker played a deepfake video of what appeared to be the CEO of another crypto company, and claimed there was an “audio malfunction,” tricking the target into running a supposed troubleshooting command on their computer. These commands triggered an infection chain on macOS and Windows systems, silently deploying up to seven malicious software programs.
Mandiant confirmed that these tools can steal Keychain credentials, browser cookies, login information, Telegram sessions, and local sensitive files. Researchers believe that the attackers aim both to directly acquire crypto assets and to gather intelligence for future scams. Deploying so many tools on a single device indicates a carefully planned targeted infiltration.
This incident is not isolated. By 2025, similar AI conference scams had caused losses exceeding $300 million; throughout the year, cyber operations related to North Korea stole approximately $2.02 billion in digital assets, a 51% increase. Chainalysis also pointed out that scam groups utilizing on-chain AI services are significantly more efficient than traditional methods.
As the barrier to deepfake technology continues to lower, the crypto industry faces unprecedented security challenges. Experts warn that online meetings involving funds and system permissions must strengthen multi-factor authentication and device isolation; otherwise, they could become the next attack vector.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
The U.S. Department of the Treasury expands cyber security intelligence, and encrypted companies receive traditional finance–level protection
The U.S. Department of the Treasury expands its Cybersecurity Threat Identification Program, providing free threat intelligence services for blockchain companies to address the cybersecurity challenges facing the digital asset industry. A series of recent attack incidents, especially cases involving North Korean infiltration, have highlighted the risks to the crypto industry, prompting the government to incorporate it into its financial infrastructure protection framework to improve security defenses.
MarketWhisper44m ago
Phantom crypto wallet crashes! During the Airdrop period, prices were messed up, sparking a wave of user claims.
Phantom Wallet malfunctioned during the airdrop period, causing abnormal token prices and account balances to display. Although the assets are safe, users suffered trading losses, triggering compensation demands and a trust crisis. The incident also increased concerns about blockchain security, and some malicious actors may take advantage of the chaos to launch phishing attacks. Although the technical issue has been fixed, improvements are still needed to the user experience and system stability.
CryptoCity4h ago
Crypto wallet Phantom crashes big time! During the airdrop period, prices went haywire, sparking a wave of user claims for compensation
Phantom Wallet experienced a malfunction during the airdrop period, causing the token price and account balances to display abnormally. Although the assets were safe, users suffered transaction losses, triggering compensation requests and a crisis of trust. The incident also heightened concerns about blockchain security, as some bad actors may take advantage of the chaos to launch phishing attacks. While the technical issue has been fixed, improvements are still needed for the user experience and system stability.
CryptoCity7h ago
Crypto wallet Phantom crashes big time! During the air drop period, prices got mixed up, triggering a wave of user claims for compensation
Phantom Wallet experienced a malfunction during the airdrop period, causing abnormal token prices and account balances to display. Although users’ assets were safe, users suffered transaction losses, leading to compensation requests and a trust crisis. The incident also heightened concerns about blockchain security, and some bad actors may take advantage of the chaos to launch phishing attacks. While the technical issue has been fixed, improvements are still needed for the user experience and system stability.
CryptoCity10h ago
A Trump family crypto project, WLFI, borrows $31.4 million via Dolomite, and controversy has been sparked by overlapping adviser roles
A crypto project founded by the Trump family, WLFI, has drawn market attention to liquidity risk and alleged insider connections through lending facilitated by Dolomite. WLFI pledges stablecoins USD1 and platform tokens, borrows $31.4 million, and moves it to a CEX that is suspected to be used for exchanging it into fiat currency. WLFI has a high concentration level and also carries liquidation risk. On-chain data shows that WLFI has recently transferred a large amount of tokens, with the destination unclear, and has not yet responded regarding the transactions.
GateNews11h ago
A certain CEX participated in an international operation led by the UK’s NCA to crack down on authorized phishing scams
A certain CEX participated in an "Operation Atlantic" operation led by the U.K. National Crime Agency to crack down on crypto and investment scams, with a particular focus on authorized phishing schemes. The CEX provided on-site support, helped identify victims and malicious websites, and shared intelligence with law enforcement agencies, protecting thousands of potential victims.
GateNews11h ago
