Fake CEO, Real Hack: North Korea Uses AI Deepfakes to Steal Crypto

North Korean threat actors are leveling up their social engineering game, using AI-generated deepfakes and sophisticated malware to target the cryptocurrency sector. A new investigation by Mandiant into an intrusion at a FinTech company has exposed the evolving tactics of UNC1069, a financially motivated group active since 2018.

This campaign marks a significant shift in tradecraft. No longer content with simple phishing emails, UNC1069 is now deploying a full suite of custom tools and AI-enabled ruses to deceive victims and drain their digital assets.

The attack began with a personal touch: a message on Telegram from what appeared to be a trusted contact. In reality, the account had been hijacked. After building rapport, the attacker sent a Calendly invite for a video call.

When the victim joined the “Zoom” meeting—hosted on a spoofed domain—they were greeted by a familiar face. “The victim reported that during the call, they were presented with a video of a CEO from another cryptocurrency company that appeared to be a deepfake,” the report states.

This AI-generated lure was just the setup. Feigning audio issues, the attackers pivoted to a “ClickFix” attack, tricking the victim into running “troubleshooting” commands that were actually malicious scripts designed to infect their macOS system.

Once inside, UNC1069 didn’t just plant a single backdoor; they deployed an arsenal. Mandiant identified seven unique malware families used in the intrusion, including three new tools designed specifically to harvest data: SILENCELIFT, DEEPBREATH, and CHROMEPUSH.

• SILENCELIFT: A minimalistic backdoor that beacons host information to a C2 server (ironically named support-zoom[.]us) and can even interrupt Telegram communications if given root privileges.
• DEEPBREATH: A sophisticated data miner written in Swift that bypasses macOS transparency protections (TCC) to steal credentials, browser cookies, and even data from the Apple Notes app.
• CHROMEPUSH: A malicious browser extension that masquerades as a Google Docs tool. It silently records keystrokes and steals login data from Chrome and Brave browsers.

The use of deepfakes in this campaign aligns with a broader trend of threat actors integrating generative AI into their operations. “These tactics build upon a shift… where Google Threat Intelligence Group (GTIG) identified UNC1069’s transition from using AI for simple productivity gains to deploying novel AI-enabled lures in active operations,” Mandiant notes.

Whether it’s using Gemini to write code or generating fake video feeds to trick executives, UNC1069 is proving that the future of cybercrime is increasingly artificial—but the financial losses are all too real.

Related Posts:

• Beyond Phishing: How AI and Deepfakes Are Powering a New Generation of Scams
• Deepfake Scams on the Rise: CEOs, News Anchors, and Government Officials Impersonated
• Deepfakes and Deception: The Rise of Synthetic Identities in Remote Work
• Kimsuky Group Weaponizes AI Deepfakes in New Spear-Phishing Campaign
• North Korea’s AI-Powered Cybercrime: Deepfakes & Fake Personas Infiltrate 300+ US Companies via Remote IT Jobs