Deepfakes and Data Heists: North Korean Hackers Unleash AI in New Crypto Attacks

The world of cryptocurrency just got a new, high-stakes villain. In a recent, chilling campaign, hackers linked to North Korea have blended cutting-edge AI deception with a barrage of malware, targeting FinTech and DeFi organizations with surgical precision. Their weapon of choice? A sophisticated toolkit - and a deepfake CEO - designed to steal millions in digital assets, all under the guise of a routine video call.

Fast Facts

• UNC1069, a North Korea–linked group, targeted a FinTech company using a mix of seven malware families.
• The attack began with social engineering on Telegram and escalated to a spoofed Zoom meeting featuring an AI-generated deepfake.
• Victims were tricked into running malicious commands, infecting macOS and Windows systems.
• New malware strains - SILENCELIFT, DEEPBREATH, and CHROMEPUSH - focused on stealing credentials, browser data, and session tokens.
• The campaign signals a shift: attackers now use AI-generated lures directly in active cyberattacks.

The Anatomy of a Modern Cyber Heist

The attack was set in motion on Telegram, where an account impersonating a crypto executive reached out to an unsuspecting employee at a FinTech firm. After weeks of careful trust-building, the hacker sent a Calendly invite for a seemingly innocuous 30-minute meeting. Instead of a routine Zoom call, the link led to a counterfeit site under the attackers’ control.

Once the meeting began, the victim was greeted by what appeared to be a well-known CEO - except this time, the executive’s image and voice were likely AI-generated deepfakes. Mandiant’s investigators couldn’t conclusively prove the video’s synthetic origins from the digital evidence, but the scenario aligns with the growing trend of AI-powered deception in cybercrime.

The real trap was set when the attacker claimed there were audio issues and urged the victim to run a block of “troubleshooting” commands. Hidden inside was the actual malware payload. On macOS, the infection unfolded in several waves: the WAVESHAPER backdoor and HYPERCALL downloader established a foothold, followed by SUGARLOADER and a host of new tools.

Three newly identified malware components stood out: SILENCELIFT, a stealthy backdoor beaconing system details to its command center; DEEPBREATH, a Swift-based stealer targeting browser and keychain data; and CHROMEPUSH, which harvested credentials and cookies by abusing Chrome’s extension and messaging features. The attackers’ endgame: snatch credentials, drain accounts, and disappear without a trace.

This operation mirrors a broader shift in the threat landscape. Google’s intelligence teams have documented a move from AI as a productivity booster to AI as a direct attack vector, supercharging social engineering and deception.

Defending Against Tomorrow’s Threats, Today

The campaign offers a sobering lesson: every “routine” meeting invite and troubleshooting request could now be a Trojan horse. Experts urge companies to verify conferencing domains, train staff to spot red flags (like unsolicited requests to run commands), and monitor for suspicious changes to browser extensions. With attackers now wielding both advanced malware and AI-powered lures, the human firewall is more critical than ever.

As cybercriminals raise the stakes with AI-driven ploys, defenders must adapt - because the next fake CEO in your inbox might just be a harbinger of a multimillion-dollar breach.

WIKICROOK

• Deepfake: A deepfake is AI-generated media that imitates real people’s appearance or voice, often used to deceive by creating convincing fake videos or audio.
• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• Downloader: A downloader is a small malicious program that secretly enters a computer and then fetches and installs more dangerous malware for hackers.
• Session Token: A session token is a unique digital code that keeps users logged in to websites or apps. If stolen, attackers can access accounts without a password.
• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.