UNC1069: DPRK’s Deepfake-Driven Cyber Campaign Targeting Crypto and Software Supply Chains
Contents
UNC1069 is a financially motivated North Korean threat actor first observed by Mandiant (Google Cloud) in 2018. The group is assessed with high confidence to operate under the Reconnaissance General Bureau (RGB) North Korea's primary foreign intelligence service and forms part of a broader cluster of DPRK cyber operations that has cumulatively stolen an estimated $3 billion or more in cryptocurrency since 2016.
In February 2026, Google Threat Intelligence Group (GTIG) published a detailed examination of a recent UNC1069 intrusion in which the actor compromised a fintech entity after impersonating a known investment contact via a hijacked Telegram account. The victim was lured into a fake Zoom meeting where a real-time AI-generated deepfake video of a CEO was deployed, the first confirmed use of live deepfake video in a DPRK cyber intrusion. A ClickFix social engineering lure triggered malware execution, resulting in deployment of seven distinct malware families across Windows and …
In February 2026, Google Threat Intelligence Group (GTIG) published a detailed examination of a recent UNC1069 intrusion in which the actor compromised a fintech entity after impersonating a known investment contact via a hijacked Telegram account. The victim was lured into a fake Zoom meeting where a real-time AI-generated deepfake video of a CEO was deployed, the first confirmed use of live deepfake video in a DPRK cyber intrusion. A ClickFix social engineering lure triggered malware execution, resulting in deployment of seven distinct malware families across Windows and …