North Korean Hackers Use Deepfake Zoom Calls to Target Crypto Firms

Google’s Mandiant team says a North Korea–nexus threat actor has folded AI-enabled lures into crypto-focused hacks, reflecting an evolution in state-linked activity targeting the digital asset sector. Mandiant detailed an intrusion against a FinTech company in the cryptocurrency industry that it attributed to UNC1069.

The attackers first compromised a Telegram account belonging to a crypto executive, built trust, then sent a Calendly invitation that routed the victim to a fake Zoom domain the actors controlled. During the call the victim reported seeing an apparent deepfake of a CEO from another crypto company; while Mandiant could not recover forensic evidence to independently verify use of AI models, the ruse resembled a previously reported incident.

The attackers simulated audio problems and instructed the victim to run troubleshooting commands on macOS and Windows, which secretly started a multi-stage infection.

North Korea

north korea, hackers, deepfake, zoom, crypto firms, cryptocurrency, mandiant, unc1069, telegram, calendly