Mandiant and Google Cloud reported a North Korea-linked cluster, UNC1069, using AI deepfakes, compromised Telegram accounts, and spoofed Zoom calendar invites to trick crypto and fintech staff. The intrusions deploy multi-stage malware and harvest credentials and browser/wallet data.

Mandiant’s investigation, supported by Google Cloud telemetry, attributes a sophisticated campaign to UNC1069 that blends AI-generated deepfake video of trusted executives with compromised Telegram identities and spoofed Zoom calendar invites. Targets in cryptocurrency and fintech environments are socially engineered into running so-called troubleshooting commands that install multi-stage malware capable of capturing browser sessions, wallet data, and credentials. Researchers observed seven distinct malware families in a single intrusion, indicating extensive tooling and modular operations designed for large-scale credential and financial theft. The actors have expanded capabilities to evade detection and to automate data exfiltration, increasing the risk to centralized exchanges, custody providers, and institutional traders. Mandiant warns defenders to treat calendar and video-based meeting invitations skeptically, implement multi-factor protections, isolate troubleshooting workflows, and apply endpoint threat detection tuned for novel chains of execution. The case highlights the convergence of generative AI, identity compromise, and traditional credential-stealing malware as an escalating threat to the global crypto sector.