A hacking group reportedly based out of North Korea has come up with a “new tooling and AI-enabled social engineering” scam, according to Google, and it’s pretty complicated.
Effectively, it uses a hacked account to send a Zoom link via a calendar invite to an uncompromised account. That version of Zoom is, in fact, a spoof, and what targets are met with is a deepfaked version of the account owner. Google’s report notes that a version of this deepfake takes the form “of a CEO from another cryptocurrency company.”
Once in the meeting, the deepfaked user claims to have technical issues and directs the target on how to troubleshoot their PC. The troubleshooting prompt leads them to run an infected string of commands that then unleashes a series of backdoors and data miners on the victim’s PC.
Google calls it “AI-enabled social engineering” and notes 7 new malware families used in the attack.
UNC1069 are the actors Google has identified as being behind the scam. They have reportedly been active since 2018 and were found to have been using Gemini last year to “develop code to steal cryptocurrency, as well as to craft fraudulent instructions impersonating a software update to extract user credentials”.
North Korean actor UNC1069 is targeting the crypto sector with AI-enabled social engineering, deepfakes, and 7 new malware families. Get the details on their TTPs and tooling, as well as IOCs to detect and hunt for the activity detailed in our post 👇https://t.co/t2qIB35stt pic.twitter.com/mWhCbwQI9FFebruary 9, 2026
Google says UNC1069 is “employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives.”
This hack needs access to an account to start in the first place, so Google notes further attacks have “a dual purpose; enabling cryptocurrency theft and fueling future social engineering campaigns by leveraging victim’s identity and data.”
Though Google states that the account linked to the group has been terminated, Gemini was used at some point “to develop tooling, conduct operational research, and assist during the reconnaissance stages.”
Gemini is not the only AI tool being used in similar cybercrimes. Antivirus creator and cybersecurity company Kaspersky claims hacking group BlueNoroff is using GPT-4o to enhance images to convince targets.
As AI gets more impressive and complicated, so too will the scams to accompany it. One can only hope that anti-scam measures become equally clever.
