North Korean Hackers Use AI Deepfakes And Fake Zoom Links To Target Crypto Executives: Report

A North Korea-backed hacking group is said to have launched an attack targeting cryptocurrency and decentralised financial services (DeFi) execs using advanced social engineering techniques. The attackers are using compromised Telegram accounts, fake Zoom meeting links, AI-offensive deepfake videos and a bunch of malware that includes everything from standard stealing modules to those that lock you out of your account, according to the Google-owned cybersecurity consulting firm.

AI Deepfakes and ClickFix Scam

The Google-owned company Mandiant has revealed activities of a threat actor it tracked as UNC1069 reported The Record.

The attack typically unfolds as follows:

- Victim is contacted through a compromised Telegram account

- A fake Zoom meeting link is shared

- The link contains the ClickFix infection vector

- During the meeting, AI-generated deepfake videos are shown to build trust

- Victim is prompted to install a fake Zoom SDK update, which installs malware

Once access is gained, attackers steal credentials, browser data, and session tokens. They also change passwords to block legitimate access.

ALSO READ: Google Simplifies Removal Of Non-Consensual Explicit Images With Updated Search Reporting Tools

Malware Families

According to Mandiant, the UNC1069 group deploys seven “unique malware families”, including:

- SILENCELIFT

- DEEPBREATH

- CHROMEPUSH

- WAVESHAPER

- HYPERCALL

- SUGARLOADER

These weapons are meant to syphon off critical information and open a backdoor for financial fraud and crypto theft.

ALSO READ: Android 17 Beta 1 To Roll Out Soon As Google Releases Android 16 QPR3 Beta 2.1

Use of AI and Gemini in Attacks

The Google Threat Intelligence Group said that UNC1069 has leveraged Gemini to “develop tooling, conduct operational research, and support” investigating victims. The group has also been branching out into AI-enabled attacks, like using deepfake impersonations during live meetings.

Hashed Executive Got Targeted

In May 2025, Ryan Kim, co-founder of the blockchain firm Hashed, revealed that he was also attacked in a similar manner. He had scheduled a meeting through Calendly and then got a bogus Zoom invitation, masquerading as a software update. After installation, the malware gave adversaries access to his Telegram Desktop session, the ability to modify passwords, recovery email accounts, and even bypass two-factor authentication.