Financially motivated threat actors linked to North Korea continue to refine their targeting of the cryptocurrency sector, now incorporating synthetic media and complex social engineering into their operations. Recent research from Google Cloud’s Mandiant identifies a group tracked as UNC1069 using these methods to gain access to organizations within the Web3, software development, and venture capital industries.
The research highlights a specific campaign where the actor compromised a legitimate cryptocurrency executive's Telegram account to target a secondary individual. This pivot from compromised accounts allows the threat actor to establish immediate rapport and trust before introducing malicious elements.
Social Engineering Methodology
The observed operation follows a structured engagement pattern designed to move the target from a trusted communication channel to a controlled environment. After establishing contact through the compromised Telegram account, UNC1069 sends a Calendly link to schedule a meeting. This link directs the target to a fraudulent website hosted on the actor's infrastructure, designed to mimic a legitimate Zoom meeting interface.
Once the target joins the "meeting," they are presented with a video loop—likely an AI-generated deepfake—of a cryptocurrency executive including another firm. This video is used and simulate a technical issue, specifically audio connectivity problems. The actor then pivots to a "ClickFix" tactic, a social engineering technique where the user is persuaded to manually execute code to resolve the fabricated problem.
The fraudulent Zoom page provides "troubleshooting" instructions tailored to the user's operating system (macOS or Windows). These instructions ask the user to copy and paste a script into their terminal or command prompt. While framed as a fix for audio drivers, this action initiates the compromise sequence.
Technical Execution and Tooling
If the target executes the provided commands, the script deploys a backdoor that establishes a foothold for the threat actor. Mandiant's analysis indicates that this initial access is used to deploy additional tools aimed at data exfiltration and persistence.
In observed cases involving macOS devices, the initial script installs a backdoor followed by a downloader. This allow the deployment of data mining tools designed to harvest sensitive information, including:
- Keychain credentials
- Browser data
- Telegram user data
- Apple Notes contents
The actors also leverage large language models (LLMs) during the reconnaissance and development phases, using them to research targets and refine their tooling. This demonstrates a methodical integration of AI technologies into the threat actor’s operational workflow.
Strategic Shift and Attribution
UNC1069, which has been active since at least 2018, is assessed to be acting in support of North Korean state interests. Since 2023, the group has shifted its focus from traditional financial institutions toward the Web3 ecosystem. This aligns with broader trends of North Korean cyber operations prioritizing cryptocurrency theft to generate revenue.
While other groups associated with the region are known for large-scale unauthorized transfers, UNC1069 specializes in sophisticated access operations. By combining compromised legitimate accounts, high-quality synthetic media, and the ClickFix technique, they bypass technical controls by exploiting human trust and helpfulness.
Protective Measures
Security teams and individuals in the cryptocurrency and Web3 sectors can strengthen their defenses against these tactics through verified communication processes.
Verify Meeting Infrastructure: Be cautious of meeting links that do not originate from standard domains (e.g., zoom.us). The use of custom domains or redirects for meeting interfaces is a strong indicator of potential malicious activity.
Restrict Code Execution: Organizational policies should strictly prohibit pasting code from web pages or chat instructions into terminals or command prompts. "ClickFix" tactics rely on the user bypassing security warnings under the guise of technical support.
Out-of-Band Verification: If a contact reports technical issues or account changes via a messaging platform, verify their identity through a secondary channel, such as a phone call to a known number or an internal corporate directory, before taking any technical action.