UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

Written by: Ross Inman, Adrian Hernandez Introduction North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069 , a financially motivated threat actor active since at least 2018. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. These tactics build upon a shift first documented in the November 2025 publication GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools where Google Threat Intelligence Group (GTIG) id

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

Related Articles

A Multi-Agent Code for Trading with Prompts

Algorithms I Finally Understood — Part 1: Why Algorithms Exist (Before We Even Write Code)

Building a Real-Time Customer Support System in .NET

Apple iPhone 17e: Specs, Features, Release Date, Price

"Did You Mean…?" Building Fuzzy Suggestions using Postgres

Related Articles

How-To
A Multi-Agent Code for Trading with Prompts
Medium Programming • 1d ago

How-To
Algorithms I Finally Understood — Part 1: Why Algorithms Exist (Before We Even Write Code)
Medium Programming • 1d ago

How-To
Building a Real-Time Customer Support System in .NET
Medium Programming • 1d ago

How-To
Apple iPhone 17e: Specs, Features, Release Date, Price
Wired • 1d ago

How-To
"Did You Mean…?" Building Fuzzy Suggestions using Postgres
Medium Programming • 1d ago