North Korean cybercriminals use AI deepfakes to hijack cryptocurrency

New cyber‑attack tactics from a group linked to North Korea

Google specialists have exposed the operations of the hacking group UNC1069, allegedly under the control of North Korean authorities. Since 2018 they have been using artificial intelligence to develop new toolkits and social engineering schemes aimed at citizens and employees of cryptocurrency companies.

How the attack looks
1. Account compromise

Hackers gain access to an existing account (usually on social media or email).

2. Launching a video conference

Through that account they send the victim a link to a Zoom session.

3. Deep‑fake meeting

Inside the call a video with a fake face appears – for example, “the CEO of another crypto company.” This is created using AI and looks so realistic that most people will not notice the fraud.

4. Step‑by‑step “maintenance”

The deep‑fake claims technical problems and asks the user to perform a series of actions on their computer. The instructions contain malicious commands that launch backdoors and data‑stealing programs.

5. Acquisition of valuable material

After following the instructions, attackers gain access to confidential information and can potentially steal cryptocurrency.

Technological arsenal
- Gemini (AI assistant) – used for code generation, simulating software updates, and preparing instructions.
- GPT‑4o from OpenAI – employed by the BlueNoroff group to enhance images that convince users of the authenticity of the invitation.

Google called this technique “AI‑powered social engineering” and identified seven new families of malware involved in the attack.

Objectives and consequences
- Cryptocurrency theft – the primary financial motive.
- Collection of personal data – creates a database for future social‑engineering campaigns.
- Industry attacks – targets include software developers, venture firms, and their executives.

One account linked to the group was blocked by Google after attackers used Gemini to develop reconnaissance tools.

Thus, UNC1069 demonstrates how modern AI technologies enable hackers to create highly effective and hard‑to‑detect attacks on target audiences in the cryptocurrency sector.