North Korea-linked hackers deploy AI deepfakes and new malware against crypto and fintech firms

Security analysts have documented a stepped-up campaign by a threat cluster tied to North Korea that mixes social engineering, platform compromise and generative-AI tricks to breach crypto and fintech targets. Attackers routinely hijacked messaging identities and staged remote meetings where fabricated video or audio glitches were used as a pretext to persuade victims to run seemingly routine maintenance commands. Those benign-looking instructions concealed a single directive that triggered an automated infection sequence, enabling remote tooling to fingerprint hosts, harvest credentials and siphon sensitive material. Investigators observed seven separate malware families across engagements and identified three recently developed tools purpose-built to bypass operating-system protections and extract personal and application data. The operation compressed reconnaissance, account compromise and payload delivery into short, trust-based interactions that exploited confidence in familiar collaboration apps. Researchers also noted that the same automation and persona-generation capabilities making these lures so convincing are being applied elsewhere: exposed and poorly secured AI endpoints, third-party agent plugins and marketplace skills are creating new, high-value attack surfaces that can be discovered and weaponized rapidly. Commercialized reconnaissance, persona-scraping and subscription phishing services lower the technical bar for scaling such campaigns, while poisoned plugin ecosystems and exposed model control planes can provide easy access to tokens, secrets and command interfaces. The likely operational objectives remain financial—covert exfiltration of credentials, cryptographic keys and account access for later monetisation—rather than broad destructive sabotage. Attribution is probabilistic but behavioural patterns, tool reuse and targeting choices align with groups historically linked to the DPRK. For defenders, the combined threat of AI-synthesised impersonation, compromised collaboration accounts and bespoke data-exfiltration malware complicates detection because initial stages mimic routine troubleshooting and legitimate platform activity. Effective mitigation therefore must pair traditional telemetry (endpoint and network) with identity-first controls, stricter governance of AI endpoints and plugin marketplaces, and process redesigns that eliminate single-step opportunities for human-mediated compromise. The activity underscores how generative AI and automated discovery are amplifying both the realism and reach of social-engineering attacks, forcing organisations that handle digital assets to adopt multi-party verification, rotate exposed credentials, inventory public-facing AI services and tighten browser and plugin governance.