Mandiant reports UNC1069 has intensified cyberattacks since late 2025, using AI deepfakes, hijacked Telegram accounts, and multiple malware strains against cryptocurrency and fintech companies.
Mandiant has documented an escalation in operations by North Korean-linked cyber group UNC1069, targeting cryptocurrency and fintech firms. Since November 2025, the group has expanded its social engineering campaigns, deploying seven malware families—including SILENCELIFT, DEEPBREATH, and CHROMEPUSH—to exfiltrate financial assets and sensitive data. Attack methods have included AI-generated deepfake videos in fraudulent Zoom meetings and hijacked Telegram accounts, enabling the impersonation of trusted contacts and the spread of malicious software. These tools harvested credentials and browser data, facilitating unauthorized access to corporate systems and digital asset platforms.