OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Threats· Trust Inversion series· Apr 24, 2026· 5 min read

UNC1069 Is Deepfaking CEOs on Zoom to Drain Crypto Wallets

On April 15, 2026, crypto wallet provider Zerion disclosed that approximately $100,000 was stolen from its hot wallets through an AI-enabled social engineering attack that compromised employee sessions, credentials, and private keys. The methodology matched a detailed Mandiant report published February 9, 2026 documenting North Korean threat group UNC1069 using deepfake video of real crypto CEOs inside fake Zoom calls to deliver the ClickFix payload. The Security Alliance has blocked 164 UNC1069-linked domains between February and April. This is the industrialization of AI-enabled social engineering at the nation-state level, and the attack surface is the human layer, not the smart contract layer.

Key takeaways

  1. On April 15, 2026, Zerion confirmed that DPRK-linked hackers stole approximately $100,000 from company-operated hot wallets after an AI-powered social engineering campaign compromised employee logged-in sessions, credentials, and private keys. Zerion stated no user funds or core infrastructure were breached and disabled its web app as a precaution while investigating. The Zerion methodology matched the UNC1069 playbook documented by Mandiant on February 9
  2. Mandiant's February 9 report described a tailored intrusion against a FinTech victim: a compromised Telegram account of a real crypto executive, a Calendly link to a spoofed Zoom meeting hosted at zoom.uswe05.us, a reported deepfake video of a known cryptocurrency CEO during the call, and then a ClickFix social engineering step where the victim was told audio was broken and instructed to run troubleshooting commands that silently installed seven distinct malware families
  3. The seven malware families Mandiant recovered included WAVESHAPER (a packed backdoor), HYPERCALL (a downloader), HIDDENCALL (hands-on keyboard access), SUGARLOADER, SILENCELIFT (a toehold backdoor), DEEPBREATH (a Swift-based data miner that manipulates the macOS TCC database to gain broad filesystem access), and CHROMEPUSH. The objective is credential theft, session hijacking, browser cookie theft, Keychain credentials, and Telegram session information to enable further downstream attacks
  4. The Security Alliance (SEAL), an industry consortium coordinating incident response, tracked and blocked 164 domains linked to UNC1069 between February and April 2026. SEAL describes the group's methodology as patient, precise, and defined by the deliberate weaponization of existing trust relationships. The group runs multiweek low-pressure campaigns across Telegram, LinkedIn, and Slack
  5. North Korea stole more than $2 billion in cryptocurrency in 2025 according to US officials at the United Nations in March. Chainalysis put the 2025 figure at $2.02 billion, a 51% increase over 2024. The Zerion theft and the Drift Protocol exploit three weeks earlier ($285 million, also attributed to DPRK actors) are the April 2026 installments of an ongoing state-funded revenue operation

What Happened

On April 15, 2026, cryptocurrency wallet provider Zerion published a post-mortem disclosing that DPRK-linked hackers had stolen approximately $100,000 from company-operated hot wallets through an AI-powered social engineering campaign. The attackers compromised employee logged-in sessions, credentials, and the private keys to Zerion's hot wallets. Zerion stated clearly that no user funds, Zerion apps, or core infrastructure were affected. The company disabled its web app as a precaution and opened an investigation. The Security Alliance, an industry consortium that coordinates responses to these attacks, confirmed the methodology matched a broader campaign run by UNC1069, the North Korean threat group Mandiant had documented in detail two months earlier.

The Mandiant report, published February 9, 2026 and titled 'UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering,' described a surgical intrusion against a different FinTech victim using the same playbook. A compromised Telegram account of a real crypto executive. A Calendly link to schedule a 30-minute meeting. A spoofed Zoom call hosted on attacker infrastructure at zoom.uswe05.us. A deepfake video of a known cryptocurrency CEO displayed during the call. A ClickFix social engineering step where the attackers claimed there were audio problems and instructed the victim to run troubleshooting commands for both macOS and Windows. Those commands initiated the infection chain. Seven distinct malware families were recovered from the compromised system.

The Attack Is Not a Smart Contract Exploit

The technical sophistication of Zerion's wallet infrastructure did not fail. No smart contract was exploited. No cryptographic primitive was broken. No node was compromised. The attack surface was a human being on a video call, and the breach point was that human being's trust in what they saw and heard. The victim saw a face they recognized on Zoom. The victim heard what sounded like a familiar voice. The victim was told there was a technical issue requiring a small troubleshooting step. The victim ran the commands. Everything else followed from that single decision.

This is the trust inversion pattern. The protection mechanism is the attack vector. Video calls are supposed to verify identity by letting you see the person you are talking to. Zoom is supposed to be a trusted business tool. Calendly is supposed to route meetings through a legitimate scheduling layer. In this attack, each of those trusted layers is the specific mechanism the adversary uses to build credibility. The victim does not see a phishing email and ignore it. The victim sees a Zoom link from a scheduled Calendly meeting with a known industry executive, clicks through, and participates in a video call with what appears to be a recognizable CEO. The trust is the bait.

Why This Pattern Scales

Google's Threat Intelligence Group has tracked UNC1069's progression toward AI-enabled operations since at least November 2025. The evolution is observable in three stages. Stage one: AI used for productivity, drafting phishing emails, translating lures into target languages, conducting reconnaissance. This is where most threat groups operated in 2024 and early 2025. Stage two: AI used for content generation, creating deepfake images, cloning voices from publicly available audio (earnings calls, podcasts, conference talks), building synthetic personas. Stage three: AI deployed in live active operations, deepfake video and cloned audio used in real time during calls to manipulate targets. UNC1069 is operating at stage three today.

The Mandiant report noted the group has also used Google's Gemini for operational research and tool development. Kaspersky separately reported the overlapping DPRK group Bluenoroff is using GPT-4o to modify images. The SEAL consortium blocked 164 UNC1069 domains between February and April, suggesting a sustained campaign rather than a single operation. This is not one threat actor experimenting with AI. This is a state-sponsored offensive playbook using commodity AI tools at operational scale. The cost per attempt has collapsed. The quality per attempt has risen. The pattern now scales in a way that hardened engineering teams at crypto firms are not structurally prepared for.

What This Means for You

If you self-custody Bitcoin or operate any wallet where private keys live on a machine you use for video meetings, your operational assumption should be that any key-adjacent Zoom call is a potential attack surface. This means three concrete practices. First, out-of-band verification for any meeting that will discuss keys, transfers, custody changes, or anything wallet-related. If someone calls you asking about a wallet operation, confirm through a separate channel you established in advance, by phone, in person, or through a pre-arranged code word. A deepfake cannot pass a verification you built before the attacker had access to your channels.

Second, compartmentalize the machine that signs transactions from the machine that runs video calls. Your signing device should not be the laptop where you take Zoom meetings. Hardware wallets exist for exactly this reason: the signing happens on a device that never touches the internet and cannot be compromised by a ClickFix troubleshooting command on your general-purpose computer. If your workflow currently has you signing transactions on the same machine where you take unplanned video calls with new contacts, that is the single biggest operational change to make this week.

Third, treat unexpected requests for screen-share, troubleshooting commands, or 'audio is broken so let me help you fix it' as malicious by default. This is the ClickFix signature and it is now the delivery mechanism for state-sponsored malware. A legitimate colleague with audio problems does not ask you to run commands on your system. The correct response is to end the call, reach out through a different channel, and reschedule. The social pressure to be helpful in a live meeting is exactly the pressure the attack is designed to exploit.

What to Watch

Watch for additional Zerion-pattern incidents against mid-sized crypto firms. The industry has been warning for two years that social engineering would overtake smart contract exploits as the primary loss vector. 2026 is the year that shift became measurable. Watch SEAL's domain-blocking numbers: 164 in two months is the current trajectory and it implies the operation is funded for the long run. Watch whether major video conferencing providers (Zoom, Google Meet, Microsoft Teams) implement any authenticity signaling for deepfake detection at the platform level. And watch the next DPRK crypto revenue disclosure from the UN Panel of Experts or Chainalysis, because the $2 billion 2025 figure was already a 51% year-over-year increase and the April numbers suggest 2026 will be larger still.

The victim saw a face they recognized. That was the entire attack.

Sources

  1. [1]Google Cloud / Mandiant — 'UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering', February 9, 2026
  2. [2]The Record / Recorded Future News — 'North Korean hackers targeted crypto exec with fake Zoom meeting, ClickFix scam', Jonathan Greig, February 10, 2026
  3. [3]Decrypt — 'Google Warns of AI-Powered North Korean Malware Campaign Targeting Crypto, DeFi', February 10, 2026
  4. [4]Zerion — Post-mortem disclosure of April 15, 2026 hot wallet compromise
  5. [5]Cryptonomist — 'North Korean hackers used AI in a crypto hacking campaign', April 15, 2026
  6. [6]Security Alliance (SEAL) — Report on 164 UNC1069 domain blocks February-April 2026
  7. [7]Chainalysis — 2025 North Korea cryptocurrency theft totals ($2.02 billion, +51% YoY)
  8. [8]Breacher.ai — 'UNC1069 Deepfake' analysis of the Mandiant report, February 11, 2026
Trust Inversion series · Part 3 of 11
← Previous part
Fake Ledger App Drained $9.5M From Apple's App Store
Next part →
Drift Hack Began With Months of In-Person DPRK Social Engineering

More in Trust Inversion

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price