Meet the Top 101 in Crypto
Security
Complexity Icon Easy
6 min read

Google Cloud Sounds the Alarm: North Korea’s New AI Crypto Malware Is Draining Wallets

Published 12 February 2026
Giuseppe Ciccomascolo
Authors

Key Takeaways

  • Google Cloud’s Mandiant has identified a new North Korea-linked malware campaign targeting crypto companies, developers, and venture capital firms.
  • The threat group, tracked as UNC1069, is deploying seven malware families, including newly discovered strains like CHROMEPUSH and DEEPBREATH.
  • The attackers are using AI-powered social engineering, including deepfake Zoom calls and compromised Telegram accounts, to trick victims into installing malware.
  • Crypto companies remain prime targets due to direct access to funds, remote communication workflows, and irreversible blockchain transactions.

A new warning from Google Cloud is putting the crypto industry on high alert. Mandiant, the cybersecurity firm operating under Google Cloud, says a North Korea-linked threat group is deploying advanced malware designed to steal cryptocurrency and sensitive data, and artificial intelligence is helping them scale faster than ever.

According to Mandiant, the threat cluster, tracked as UNC1069, has launched a new wave of targeted attacks against crypto companies, software developers, and venture capital firms.

The campaign includes seven distinct malware families, some newly discovered, that are capable of bypassing system protections and extracting wallet-related information.

The development marks a significant escalation in cyber threats facing the digital asset ecosystem.

How the New AI-Driven Crypto Malware Works

The attackers are not relying on brute-force hacks. Instead, they are using social engineering, a tactic that manipulates people into giving access voluntarily.

In one case documented by Mandiant, attackers compromised a Telegram account belonging to a crypto founder. They then contacted a target and invited them to what appeared to be a legitimate Zoom meeting.

Attack chain
How the attach chain looks like. | Credit: Mandiant

The twist: the meeting featured a deepfake video created using artificial intelligence.

During the call, the attacker claimed there were audio issues and asked the victim to run troubleshooting commands. Hidden within those commands was malicious code that triggered the infection process, a method known as a ClickFix attack.

Once installed, the malware begins collecting sensitive information from the victim’s device.

The Malware Families Targeting Crypto Users

Mandiant identified seven malware families used in the campaign. Among the most concerning are two newly discovered strains:

  • CHROMEPUSH
  • DEEPBREATH

These programs are designed to bypass key operating system components and gain access to browser data, stored credentials, and potentially cryptocurrency wallet information.

Another tool, named SILENCELIFT, was also deployed in the intrusion chain.

According to the report, these malware families are tailored to capture host data, harvest login credentials, and exfiltrate information without immediately alerting victims.

The targeting appears highly selective, focusing primarily on crypto-native businesses and individuals with access to digital assets.

Why AI Is Making These Attacks More Dangerous

Mandiant has tracked the suspected North Korea-linked actors since 2018. However, the use of AI marks a new phase.

The Google Threat Intelligence Group previously noted that in November 2025, it began incorporating AI-enabled lures into active operations for the first time. Deepfake videos and automated impersonation tactics make phishing attempts more convincing and harder to detect.

Artificial intelligence allows attackers to:

  • Create realistic fake video calls
  • Mimic voices and facial expressions
  • Generate believable messages at scale
  • Personalize attacks using scraped data

This lowers the cost of running large-scale campaigns and increases success rates.

Why Crypto Companies Are Prime Targets

Cryptocurrency businesses are attractive targets for several reasons:

  • Direct access to funds: Wallet credentials can immediately translate into financial gain.
  • High-value individuals: Founders, developers, and executives often manage large sums.
  • Remote operations: Crypto teams frequently operate via Telegram, Discord, and Zoom, making impersonation easier.
  • Irreversible transactions: Stolen crypto is often difficult to recover.
Crypto victims
Where the crypto victims come from. | Credit: Mandiant

North Korea-linked actors have repeatedly targeted the sector. Earlier in 2025, four North Korean operatives infiltrated crypto startups as freelance developers, stealing nearly $900,000. The Lazarus Group, another North Korea-linked entity, was connected to the $1.4 billion Bybit hack.

These attacks are part of a broader pattern of state-linked cyber activity aimed at generating revenue.

What Google Cloud and Mandiant Are Warning

Mandiant’s report highlights that this campaign represents an expansion of previous operations. The combination of social engineering and multiple malware families suggests a coordinated, well-resourced effort.

Although Mandiant describes the actors as “suspected” of having North Korean ties, the activity aligns with tactics observed in earlier campaigns.

The company has not publicly released further attribution details at this time.

How Crypto Users Can Protect Themselves

For individual investors and companies alike, the threat underscores the importance of cybersecurity hygiene.

Key precautions include:

  • Never running commands provided during unsolicited calls
  • Verifying meeting invitations through secondary channels
  • Using hardware wallets for long-term storage
  • Enabling multi-factor authentication (MFA)
  • Keeping operating systems and browsers updated
  • Limiting browser-based wallet exposure

Businesses should also implement internal policies to verify identities during remote meetings and restrict system-level command execution to trusted administrators.

Major North Korea-Linked Hacking Attacks in Crypto

Date / Period Attack / Incident Target / Description Estimated Loss
2017-2023 Multiple crypto exchange hacks Series of crypto heists investigated by the UN and attributed to North Korean state-linked actors $3 billion (aggregate)
March 2022 Ronin Network (Axie Infinity) Lazarus Group breached the Ronin bridge and drained funds from the gaming ecosystem $620 million
June 2022 Harmony Horizon Bridge Lazarus-linked exploit targeting cross-chain bridge infrastructure $100 million
2023 Atomic Wallet hack Compromise of wallet infrastructure affecting thousands of users $100 million
2023 Stake.com hack Exploit of hot wallets tied to the online crypto casino $41 million
2024 (Full year) Multiple exchange and DeFi attacks Coordinated intrusions across crypto platforms $1.3 billion (47 incidents)
July 2024 WazirX hack Multisig wallet compromise draining funds from Indian crypto exchange $235 million
Feb 2025 Bybit exchange hack Major breach attributed to Lazarus/TraderTraitor group $1.4-$1.5 billion
June 2025 Developer infiltration campaign North Korean operatives posed as freelance developers inside crypto startups $900,000
Late 2025 UNC1069 AI malware campaign Deepfake Zoom calls and social engineering to deploy malware targeting crypto founders and fintech firms Losses not publicly quantified
2025 (Full year) Record year of DPRK-linked crypto theft State-linked groups responsible for over half of global crypto theft volume $2.02 billion

A Growing Cybersecurity Challenge in Crypto

The broader message from Google Cloud is clear: crypto-focused cybercrime is evolving.

The integration of AI into malware campaigns significantly raises the bar for defense. Social engineering attacks that once relied on poorly written phishing emails now involve deepfake video calls and customized scripts.

As digital assets become more mainstream, they remain a lucrative target for sophisticated threat actors.

While the crypto industry continues to build new infrastructure, it must also strengthen its security practices. AI-powered malware is not a theoretical risk; it is already active.

The Google Cloud alarm suggests that vigilance is no longer optional.

FAQs

What is UNC1069?

UNC1069 is the name Mandiant uses to track a suspected North Korea-linked cyber threat group. Cybersecurity firms assign these labels to monitor ongoing attack patterns and tactics.

What is a ClickFix attack?

A ClickFix attack is a social engineering scam where attackers trick victims into running malicious commands on their own computer. The victim believes they are fixing a technical issue, but the command secretly installs malware.

How does this malware steal cryptocurrency?

The malware can collect browser data, stored passwords, and wallet credentials. If attackers gain access to private keys or exchange login details, they can transfer crypto funds to their own wallets.

What makes AI-driven attacks more dangerous?

Artificial intelligence allows attackers to create realistic deepfake videos, mimic voices, and generate convincing phishing messages at scale. This makes scams harder to detect and more believable.

Disclaimer: The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Giuseppe Ciccomascolo

Giuseppe Ciccomascolo began his career as an investigative journalist in Italy, where he contributed to both local and national newspapers, focusing on various financial sectors.

Upon relocating to London, he worked as an analyst for Fitch's CapitalStructure and later as a Senior Reporter for Alliance News. In 2017, Giuseppe transitioned to covering cryptocurrency-related news, producing documentaries and articles on Bitcoin and other emerging digital currencies. He also played a pivotal role in establishing the academy for a cryptocurrency exchange website. Crypto remained his primary area of interest throughout his tenure as a writer for ThirdFloor.

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status