Key Takeaways
A new warning from Google Cloud is putting the crypto industry on high alert. Mandiant, the cybersecurity firm operating under Google Cloud, says a North Korea-linked threat group is deploying advanced malware designed to steal cryptocurrency and sensitive data, and artificial intelligence is helping them scale faster than ever.
According to Mandiant, the threat cluster, tracked as UNC1069, has launched a new wave of targeted attacks against crypto companies, software developers, and venture capital firms.
The campaign includes seven distinct malware families, some newly discovered, that are capable of bypassing system protections and extracting wallet-related information.
The development marks a significant escalation in cyber threats facing the digital asset ecosystem.
The attackers are not relying on brute-force hacks. Instead, they are using social engineering, a tactic that manipulates people into giving access voluntarily.
In one case documented by Mandiant, attackers compromised a Telegram account belonging to a crypto founder. They then contacted a target and invited them to what appeared to be a legitimate Zoom meeting.

The twist: the meeting featured a deepfake video created using artificial intelligence.
During the call, the attacker claimed there were audio issues and asked the victim to run troubleshooting commands. Hidden within those commands was malicious code that triggered the infection process, a method known as a ClickFix attack.
Once installed, the malware begins collecting sensitive information from the victim’s device.
Mandiant identified seven malware families used in the campaign. Among the most concerning are two newly discovered strains:
These programs are designed to bypass key operating system components and gain access to browser data, stored credentials, and potentially cryptocurrency wallet information.
Another tool, named SILENCELIFT, was also deployed in the intrusion chain.
According to the report, these malware families are tailored to capture host data, harvest login credentials, and exfiltrate information without immediately alerting victims.
The targeting appears highly selective, focusing primarily on crypto-native businesses and individuals with access to digital assets.
Mandiant has tracked the suspected North Korea-linked actors since 2018. However, the use of AI marks a new phase.
The Google Threat Intelligence Group previously noted that in November 2025, it began incorporating AI-enabled lures into active operations for the first time. Deepfake videos and automated impersonation tactics make phishing attempts more convincing and harder to detect.
Artificial intelligence allows attackers to:
This lowers the cost of running large-scale campaigns and increases success rates.
Cryptocurrency businesses are attractive targets for several reasons:

North Korea-linked actors have repeatedly targeted the sector. Earlier in 2025, four North Korean operatives infiltrated crypto startups as freelance developers, stealing nearly $900,000. The Lazarus Group, another North Korea-linked entity, was connected to the $1.4 billion Bybit hack.
These attacks are part of a broader pattern of state-linked cyber activity aimed at generating revenue.
Mandiant’s report highlights that this campaign represents an expansion of previous operations. The combination of social engineering and multiple malware families suggests a coordinated, well-resourced effort.
Although Mandiant describes the actors as “suspected” of having North Korean ties, the activity aligns with tactics observed in earlier campaigns.
The company has not publicly released further attribution details at this time.
For individual investors and companies alike, the threat underscores the importance of cybersecurity hygiene.
Key precautions include:
Businesses should also implement internal policies to verify identities during remote meetings and restrict system-level command execution to trusted administrators.
| Date / Period | Attack / Incident | Target / Description | Estimated Loss |
|---|---|---|---|
| 2017-2023 | Multiple crypto exchange hacks | Series of crypto heists investigated by the UN and attributed to North Korean state-linked actors | $3 billion (aggregate) |
| March 2022 | Ronin Network (Axie Infinity) | Lazarus Group breached the Ronin bridge and drained funds from the gaming ecosystem | $620 million |
| June 2022 | Harmony Horizon Bridge | Lazarus-linked exploit targeting cross-chain bridge infrastructure | $100 million |
| 2023 | Atomic Wallet hack | Compromise of wallet infrastructure affecting thousands of users | $100 million |
| 2023 | Stake.com hack | Exploit of hot wallets tied to the online crypto casino | $41 million |
| 2024 (Full year) | Multiple exchange and DeFi attacks | Coordinated intrusions across crypto platforms | $1.3 billion (47 incidents) |
| July 2024 | WazirX hack | Multisig wallet compromise draining funds from Indian crypto exchange | $235 million |
| Feb 2025 | Bybit exchange hack | Major breach attributed to Lazarus/TraderTraitor group | $1.4-$1.5 billion |
| June 2025 | Developer infiltration campaign | North Korean operatives posed as freelance developers inside crypto startups | $900,000 |
| Late 2025 | UNC1069 AI malware campaign | Deepfake Zoom calls and social engineering to deploy malware targeting crypto founders and fintech firms | Losses not publicly quantified |
| 2025 (Full year) | Record year of DPRK-linked crypto theft | State-linked groups responsible for over half of global crypto theft volume | $2.02 billion |
The broader message from Google Cloud is clear: crypto-focused cybercrime is evolving.
The integration of AI into malware campaigns significantly raises the bar for defense. Social engineering attacks that once relied on poorly written phishing emails now involve deepfake video calls and customized scripts.
As digital assets become more mainstream, they remain a lucrative target for sophisticated threat actors.
While the crypto industry continues to build new infrastructure, it must also strengthen its security practices. AI-powered malware is not a theoretical risk; it is already active.
The Google Cloud alarm suggests that vigilance is no longer optional.
UNC1069 is the name Mandiant uses to track a suspected North Korea-linked cyber threat group. Cybersecurity firms assign these labels to monitor ongoing attack patterns and tactics.
A ClickFix attack is a social engineering scam where attackers trick victims into running malicious commands on their own computer. The victim believes they are fixing a technical issue, but the command secretly installs malware.
The malware can collect browser data, stored passwords, and wallet credentials. If attackers gain access to private keys or exchange login details, they can transfer crypto funds to their own wallets.
Artificial intelligence allows attackers to create realistic deepfake videos, mimic voices, and generate convincing phishing messages at scale. This makes scams harder to detect and more believable.