February 11 News, Google’s security team Mandiant disclosed that a North Korea-linked hacker group is using deepfake videos and fake Zoom calls to carry out highly targeted social engineering attacks against the cryptocurrency industry, and is deploying multiple malicious programs to steal assets and data.
The investigation shows that this operation was launched by the cyber threat group UNC1069. The group has been active since at least 2018 and shifted its focus from traditional finance to the Web3 space after 2023, targeting executives of crypto financial technology companies, software developers, and venture capital professionals. The incident began when an industry executive’s Telegram account was hijacked. The attacker impersonated the individual to contact targets, build trust, and then send fake Calendly video meeting invitations.
After victims clicked the link, they were directed to a fake Zoom domain controlled by the attacker. During the call, the attacker played a deepfake video of what appeared to be the CEO of another crypto company, and claimed there was an “audio malfunction,” tricking the target into running a supposed troubleshooting command on their computer. These commands triggered an infection chain on macOS and Windows systems, silently deploying up to seven malicious software programs.
Mandiant confirmed that these tools can steal Keychain credentials, browser cookies, login information, Telegram sessions, and local sensitive files. Researchers believe that the attackers aim both to directly acquire crypto assets and to gather intelligence for future scams. Deploying so many tools on a single device indicates a carefully planned targeted infiltration.
This incident is not isolated. By 2025, similar AI conference scams had caused losses exceeding $300 million; throughout the year, cyber operations related to North Korea stole approximately $2.02 billion in digital assets, a 51% increase. Chainalysis also pointed out that scam groups utilizing on-chain AI services are significantly more efficient than traditional methods.
As the barrier to deepfake technology continues to lower, the crypto industry faces unprecedented security challenges. Experts warn that online meetings involving funds and system permissions must strengthen multi-factor authentication and device isolation; otherwise, they could become the next attack vector.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Ripple CTO: Kelp DAO Exploit Reflects Bridge Security Trade-Offs
David Schwartz, CTO Emeritus at Ripple, analyzed bridge security vulnerabilities following the $292 million Kelp DAO exploit. He noted that providers prioritized convenience over robust security, undermining essential protective features. The Kelp DAO breach stemmed from a private key leak, exacerbated by a simplified security configuration in their LayerZero implementation.
CryptoFrontier2h ago
rsETH LayerZero bridge hacked, Aave and other protocols urgently freeze funds
Kelp DAO’s liquidity re-staking token rsETH was attacked on April 19 by a hacker exploiting a cross-chain message verification vulnerability, resulting in 116,500 rsETH being released to an address controlled by the attacker. Multiple DeFi protocols urgently froze related functions to address potential losses. LayerZero stated that it is actively fixing the vulnerability and will release a post-incident analysis report.
MarketWhisper2h ago
France Logs 41 Crypto-Related Kidnappings and Home Invasions in 2025
In 2025, France documented 41 crypto-related kidnappings amid rising "wrench attacks," prompting heightened security around blockchain events. Global incidents of coercion surged by 75%, with France leading in cases. Efforts to improve safety and address concerns about becoming a crypto hub are underway.
GateNews2h ago
eth.limo domain hijacked; EasyDNS admits first social engineering attack in 28 years
The eth.limo domain was subject to DNS hijacking on April 17. The attacker, posing as a team member, successfully tricked the domain registrar EasyDNS into executing account recovery for the domain. Although this incident did not affect users, because the attacker did not obtain the DNSSEC key material, they were unable to bypass the trust chain. This incident highlighted the risks of social engineering in the crypto space and prompted eth.limo to switch to the Domainsure service, which does not support account recovery, to enhance security.
MarketWhisper3h ago
Curve Finance Suspends LayerZero Bridging as a Precaution, Limits CRV and crvUSD Bridge Access
Curve Finance has been attacked over LayerZero infrastructure related to rsETH, and has temporarily suspended cross-chain functionality to prevent risk, impacting CRV cross-chain bridging and the fast bridging of crvUSD. Founder Egorov said the incident demonstrates the risk of “non-isolated lending,” and proposed a fully isolated mode as an alternative. Kelp DAO also suffered losses of about $292 million due to the attack, affecting lending activity on the Aave platform.
MarketWhisper3h ago
A Kelp bridge hack spreads and affects Aave, as TVL plunges and bad debt surges to 196 million
Liquidity re-staking protocol Kelp’s cross-chain bridge was attacked, stealing 116,500 rsETH and depositing it into Aave V3, resulting in roughly $196 million in bad debt. Aave’s contracts were not affected, but the incident revealed the systemic risk of LRT collateral, prompting DeFi protocols to re-evaluate their risk models, which could lead to losses for stkAAVE holders.
MarketWhisper3h ago
