North Korean Hackers Deploy New Malware in Sophisticated Crypto Heists

A recent cybersecurity report details a significant escalation in North Korea-linked digital espionage, with threat actors now employing advanced malware and AI-generated deepfakes to target cryptocurrency and financial technology firms.

Google Cloud's cybersecurity unit, Mandiant, identified a campaign by a group it tracks as UNC1069. The operation involved seven distinct malware families, including newly discovered tools named SILENCELIFT, DEEPBREATH, and CHROMEPUSH. These programs are engineered to bypass core system defenses and harvest sensitive data directly from victims' computers.

The attackers' methods are notably personal. In one documented case, they used a compromised Telegram account belonging to a cryptocurrency founder to initiate contact. The target was invited to a Zoom meeting featuring a deepfake video of the attacker, who claimed to have audio issues. Under the guise of fixing this problem, the victim was tricked into running a malicious command on their own system—a technique known as a ClickFix attack.

Mandiant notes that the adoption of AI tools in late 2025 allowed this group, active since at least 2018, to scale its operations and craft more convincing lures. The primary targets remain crypto companies, software developers, and venture capital firms.

This activity continues a pattern of high-value digital theft. In 2025 alone, North Korean operatives were linked to a $1.4 billion hack of the Bybit exchange and a separate scheme where freelancers infiltrated startups, stealing nearly a million dollars.

The report underscores a persistent and evolving threat to the digital asset sector, where social engineering and technical sophistication are increasingly combined to devastating effect.

Source: CoinTelegraph