UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

Written by: Ross Inman, Adrian Hernandez Introduction North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069 , a financially motivated threat actor active since at least 2018. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH.

The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. These tactics build upon a shift first documented in the November 2025 publication GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools where Google Threat Intelligence Group (GTIG) identified UNC1069's transition from using AI for simple productivity gains to deploying novel AI-enabled lures in active operations.

The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft. While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER marks a significant expansion in their capabilities. Initial Vector and Social Engineering The victim was contacted via Telegram through the account of an executive of a cryptocurrency company that had been compromised by UNC1069.