UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

• UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering Mandiant Written by: Ross Inman, Adrian Hernandez Introduction North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. • Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a financially motivated threat actor active since at least 2018. • This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. • The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. • These tactics build upon a shift first documented in the November 2025 publication GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools where Google Threat Intelligence Group (GTIG) identified UNC1069’s transition from using AI for simple productivity gains to deploying novel AI-enabled lures in active operations. • The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft.

Article Summaries:

• UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering Mandiant Written by: Ross Inman, Adrian Hernandez Introduction North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a financially motivated threat actor active since at least 2018. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of
• Mandiant’s latest investigation uncovered a sophisticated intrusion by North Korean threat actor UNC1069 against a fintech company in the cryptocurrency sector. The attack deployed seven distinct malware families-including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH-to harvest credentials, browser data, and session tokens. Social engineering was central: a compromised Telegram account, a spoofed Zoom meeting, and a ClickFix command set lured the victim into executing malicious code. Reported use of an AI‑generated deep‑fake CEO video further illustrates UNC1069’s shift toward AI‑enabled lures. The operation marks a notable expansion of the actor’s capabilities beyond its usual cryptocurrency‑startup focus.

Sources:

• https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering/