- Trending
- Comments
- Latest
North Korean hackers used AI-generated deepfakes to impersonate a prominent crypto CEO during a Zoom call, tricking an executive into downloading malware that compromised their company’s systems, according to a new report from Google’s Mandiant threat intelligence unit.
The attack, attributed to the North Korea-linked group UNC1069, represents a dangerous evolution in social engineering tactics as hackers blend artificial intelligence with trusted professional tools to disarm their targets.
The findings highlight how North Korean hackers continue to evolve their playbook as digital asset adoption grows and security defenses harden. Rather than relying on crude phishing emails, state-linked actors are now exploiting professional tools like Zoom, Telegram, and Calendly to appear legitimate and disarm their targets.
According to Mandiant, the attack was attributed to UNC1069, a financially motivated threat group active since at least 2018 and linked to Pyongyang. Researchers say North Korean hackers have steadily shifted their focus away from traditional finance toward the Web3 sector, where high-value assets and fast-moving teams create attractive attack surfaces.
“Mandiant has observed this threat actor evolve its tactics, techniques, and procedures, tooling, and targeting,” the company said in its report. Since 2023, the group has prioritized centralized exchanges, blockchain developers, fintech firms, and venture capital professionals.
This evolution mirrors a broader pattern in which North Korean hackers increasingly treat crypto not just as a target, but as a strategic revenue stream.
The intrusion began with the takeover of a Telegram account belonging to a senior crypto executive. Using that trusted identity, North Korean hackers initiated casual conversations with the eventual victim, carefully building rapport over time.
Once trust was established, the attackers sent a Calendly invitation for a video meeting. The link directed the target to a spoofed Zoom domain hosted on infrastructure controlled by the threat actors, a subtle detail easy to miss during a busy workday.
This method underscores how North Korean hackers are exploiting familiar workflows rather than forcing victims into suspicious or unusual behavior.
During the call, the victim reported seeing what appeared to be a real-time video of a well-known crypto CEO. Investigators believe North Korean hackers likely used AI-generated deepfake technology to impersonate the executive, adding credibility to the meeting.
“While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the reported ruse is similar to previously documented incidents involving alleged deepfakes,” the report noted.
Even without definitive proof, the scenario aligns with earlier cases where North Korean hackers used synthetic media to bypass human skepticism.
The attackers intentionally staged audio issues during the meeting, a tactic used to justify asking the victim to run troubleshooting commands. Those instructions, tailored separately for macOS and Windows, secretly launched the malware infection process.
Once executed, North Korean hackers deployed an unusually large toolkit on the victim’s machine. Mandiant identified seven distinct malware families designed to harvest credentials, browser cookies, Telegram session data, and sensitive local files.
The volume of tooling suggested a highly targeted operation, aimed at extracting maximum value from a single compromised individual.
Investigators concluded that North Korean hackers had two primary objectives: immediate access to assets that could enable cryptocurrency theft, and long-term intelligence gathering to fuel future social engineering campaigns.
By stealing contact lists, credentials, and communication histories, attackers can replicate the same trusted-entry tactics across multiple organizations.
“This type of intrusion isn’t just about one theft,” said John Hultquist, Chief Analyst at Google Mandiant. “It’s about building a pipeline of access that can be reused again and again.”
The incident is far from isolated. In December 2025, BeInCrypto reported that North Korean hackers had siphoned more than $300 million by impersonating trusted industry figures during fraudulent Zoom and Microsoft Teams meetings.
On a yearly scale, the numbers are even more alarming. Blockchain analytics firm Chainalysis estimates that North Korean hackers were responsible for $2.02 billion in stolen digital assets in 2025, representing a 51% increase year over year.
Those figures reinforce concerns that cybercrime has become a significant funding mechanism for the regime.
Chainalysis has also observed that scam clusters linked on-chain to AI service providers operate with higher efficiency than traditional groups. This suggests North Korean hackers are gaining leverage by integrating automation and generative tools into their operations.
With deepfake software becoming cheaper and more accessible, experts warn that convincing impersonations may soon become the norm rather than the exception.
For the crypto industry, the rise of AI-enabled attacks presents a stark challenge. North Korean hackers are moving faster than many security teams can adapt, blurring the line between real and fake interactions.
As these tactics spread, the coming years will test whether exchanges, developers, and investors can strengthen verification processes and human awareness quickly enough to counter one of the most persistent threats in digital finance.
