Google’s Mandiant team released a notice on February 9 describing new activity linked to North Korean threat groups.
The report explained that attackers use AI-generated deepfake videos in fake online meetings to gain trust and carry out attacks on crypto and DeFi companies.
Mandiant recently reviewed an incident at a fintech firm and linked it with high confidence to UNC1069, also known as “CryptoCore”. The group used a hijacked Telegram account, a fake Zoom meeting, and a method called ClickFix.
Did you know?
Subscribe – We publish new crypto explainer videos every week!
What is a Perpetual Contract in Crypto? (Definition + Example)
Analysts also found signs that an AI-generated video was used to impersonate a known industry figure during the fake meeting.
The report said, “Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives”.
The attack began when the victim received a Telegram message from what seemed to be a familiar crypto executive. After a short exchange, the attacker sent a Calendly link for a 30-minute call.
The link redirected the victim to a fake Zoom session hosted on the group’s servers.
During the call, the victim saw what appeared to be a deepfake video of a well-known CEO. Later, the attackers claimed there were audio issues. They then asked the victim to run several “troubleshooting” commands.
A later forensic review found seven kinds of malware on the victim’s device. The tools were designed to collect passwords, browser data, and session tokens.
TRM Labs reported that crypto scammers made major use of AI in 2025. What did the company say? Read the full story.
Be the first to comment