Google and Mandiant reported that a group of North Korean hackers deployed malware, which uses artificial intelligence, to attack their crypto and DeFi system. The most striking attack involved searching for public blockchains, increasing the risks of direct theft and exfiltration of credentials for custodians, developers, and trading firms.
Google and Mandiant attributed multiple recent intrusion campaigns to groups aligned with North Korea, including UNC1069 and KONNI, noting an increasing level of sophistication and a clear financial focus. According to researchers, these operations were not isolated incidents but part of a sustained effort to infiltrate the global crypto ecosystem by exploiting the trust, operational urgency, and digital exposure of its key players.
One of the most illustrative cases was documented on February 9, when the Telegram account of a crypto executive was compromised. From there, the attackers orchestrated a deepfake video call and activated a workflow known as “ClickFix,” in which victims received purported troubleshooting instructions. These commands, executed on both macOS and Windows, ended up installing additional malicious tools without raising immediate suspicion.
The delivery vectors reinforced the credibility of the deception by relying on spoofed Zoom infrastructure, malicious ads through Google Ads, and bait distributed on Discord. This multi-channel approach allowed for broader campaign reach and increased the likelihood of success, especially among technical profiles accustomed to resolving issues quickly and under pressure.
Chain attacks on Google users
Throughout the entire attack chain, analysts detected intensive use of artificial intelligence. Large-scale language models were employed to create highly convincing social engineering pieces, generate and obfuscate malicious scripts in real time, and produce new code on demand to evade traditional signature-based detection mechanisms. Even reusable experimental tools were identified, such as AI-assisted ransomware prototypes and droppers capable of querying LLMs to adapt their behavior.
In parallel, researchers cataloged various malware families, both new and known, integrated into multi-stage infection chains. Among the threats mentioned were WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, CHROMEPUSH, SILENCELIFT, and SUGARLOADER, which together enable everything from in-memory downloaders and loaders to data miners and human-controlled backdoors.
Additionally, the use of the EtherHiding technique was observed, which embeds encrypted instructions in BNB Smart Chain and Ethereum smart contracts to establish resilient and difficult-to-dismantle command and control channels.
These campaigns were clearly targeting crypto startups, developers, venture capital firms, and Web3 staff, with objectives such as credential theft, browser cookie and keychain exfiltration, and the direct diversion of digital assets. For traders and managers, the risk is twofold: on the one hand, the compromise of signing environments or session tokens that enable fund transfers, and on the other, the silent spying on sensitive trading or custody operations.
