February 11 News, Google’s security team Mandiant disclosed that a North Korea-linked hacker group is using deepfake videos and fake Zoom calls to carry out highly targeted social engineering attacks against the cryptocurrency industry, and is deploying multiple malicious programs to steal assets and data.
The investigation shows that this operation was launched by the cyber threat group UNC1069. The group has been active since at least 2018 and shifted its focus from traditional finance to the Web3 space after 2023, targeting executives of crypto financial technology companies, software developers, and venture capital professionals. The incident began when an industry executive’s Telegram account was hijacked. The attacker impersonated the individual to contact targets, build trust, and then send fake Calendly video meeting invitations.
After victims clicked the link, they were directed to a fake Zoom domain controlled by the attacker. During the call, the attacker played a deepfake video of what appeared to be the CEO of another crypto company, and claimed there was an “audio malfunction,” tricking the target into running a supposed troubleshooting command on their computer. These commands triggered an infection chain on macOS and Windows systems, silently deploying up to seven malicious software programs.
Mandiant confirmed that these tools can steal Keychain credentials, browser cookies, login information, Telegram sessions, and local sensitive files. Researchers believe that the attackers aim both to directly acquire crypto assets and to gather intelligence for future scams. Deploying so many tools on a single device indicates a carefully planned targeted infiltration.
This incident is not isolated. By 2025, similar AI conference scams had caused losses exceeding $300 million; throughout the year, cyber operations related to North Korea stole approximately $2.02 billion in digital assets, a 51% increase. Chainalysis also pointed out that scam groups utilizing on-chain AI services are significantly more efficient than traditional methods.
As the barrier to deepfake technology continues to lower, the crypto industry faces unprecedented security challenges. Experts warn that online meetings involving funds and system permissions must strengthen multi-factor authentication and device isolation; otherwise, they could become the next attack vector.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
NFT liquidity trading platform gondixyz attacked, approximately $230,000 lost
Gate News Report, March 9 — According to Goplus monitoring, the NFT liquidity trading platform gondixyz was hacked due to a vulnerability, resulting in the theft of multiple NFTs with estimated losses of approximately $230,000. gondixyz official statement: "Please do not repay loans until the team confirms safety." Users are advised to immediately revoke approvals for affected contracts via Revoke Cash and refrain from initiating any new activities on the platform.
GateNews1h ago
U.S. Treasury Highlights Risks From Crypto ATM Fraud
The U.S. Treasury report reveals a rise in fraud linked to crypto ATMs, highlighting their misuse by criminals due to compliance failures among operators. In 2024, over 10,900 scams were reported, resulting in $246.7 million in losses. Enhanced oversight is necessary to combat these issues.
TodayqNews4h ago
Sun Yuchen: Zero tolerance policy for internal illegal activities
Gate News Announcement, March 9 — TRON founder Justin Sun tweeted that his company, in light of recent internal cases related to integrity and digital security, reaffirms a zero-tolerance policy towards illegal activities. The company focuses on cracking down on illegal intrusion, unauthorized control of computer systems, embezzlement, bribery of non-governmental personnel, and scams. Such activities have jeopardized the security of company and user assets and information. Justin Sun emphasized that for those who profit through improper means and spread rumors or discredit judicial authorities online to confuse the public, the company will cooperate with judicial authorities to pursue accountability according to the law.
GateNews4h ago
Flow Foundation applies for a court order, attempting to prevent three Korean exchanges from delisting FLOW
The Flow Foundation and Dapper Labs have applied to the Seoul Central District Court to prevent three Korean exchanges from delisting the FLOW token. The decision stems from a security vulnerability incident last year. Although the foundation stated that user funds were not affected and counterfeit tokens have been destroyed, the exchanges still plan to cease trading support on March 16.
GateNews5h ago
Crypto trader Wesley tracked by anonymous location device, on-chain detective ZachXBT says he will assist in reporting to the FBI
Cryptocurrency trader Wesley revealed on social media that his iPhone detected an unknown tracking device. After inspecting his vehicle, he found a suspicious device and reported it to the authorities. He advised industry insiders to pay attention to phone alerts and enhance security awareness. Renowned detective ZachXBT offered assistance and submitted the report to the FBI.
GateNews6h ago
