North Korean Hackers Leverage AI to Escalate Attacks on Crypto and FinTech Firms

Hackers Elevate Tactics with AI Integration

According to the latest research by Mandiant, a threat actor linked to North Korea, known as UNC1069, is leveraging artificial intelligence to scale and sophisticate its operations, focusing on the cryptocurrency and financial technology sectors.

The group has deployed multiple malware frameworks, including newly identified variants such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to extract sensitive data and compromise digital assets. Attackers are using compromised Telegram accounts and AI-generated deepfake videos to lure victims into fake Zoom meetings.

Expansion of Operations Driven by AI

Mandiant has tracked UNC1069 since 2018, but the recent surge in AI capabilities has enabled the group to significantly expand its reach since November 2025.

In one incident, attackers used a hijacked Telegram account belonging to a crypto founder to initiate contact. They then tricked targets into executing so-called 'troubleshooting' commands containing hidden payloads via a method known as ClickFix.

Recommended Security Measures

• Organizations should invest in regular cybersecurity awareness training to help employees identify and report social engineering attempts.
• Implement multi-factor authentication (MFA) and endpoint detection and response (EDR) solutions to enhance security posture.
• Monitor account activities regularly for signs of unauthorized access.
• Exercise caution with unsolicited meeting invites and verify the authenticity of communication channels.