Crypto Pros in the Crosshairs: Inside North Korea’s Elaborate Fake Meeting Heist
Subtitle: A new breed of North Korean cybercriminals are luring cryptocurrency experts into digital traps using bogus meetings and custom malware.
It starts with a LinkedIn message from a promising venture capital firm, an invitation to discuss your next big crypto project. But behind the polished branding and friendly chat lies one of the world’s most aggressive state-backed cybercrime rings-UNC1069. Their game? Stealing digital assets to bankroll espionage and weapons programs, and their methods are a masterclass in deception.
The Anatomy of a Digital Con
Researchers from Google Cloud and Mandiant have peeled back the layers of UNC1069’s latest campaign, revealing a blend of old-school social engineering and cutting-edge malware. The attackers begin by impersonating venture funds-names like “WallEye Capital” or “Web3BitCapital”-and approach their targets via professional platforms such as LinkedIn and Telegram. By hijacking existing accounts, they add an extra sheen of legitimacy.
Once a relationship is established, the victim receives a meeting invite-sometimes through familiar tools like Calendly. But the meeting isn’t real. Instead, the links direct unsuspecting professionals to attacker-controlled sites that mimic Google Meet, Zoom, or Microsoft Teams. Here, the real trap is sprung: participants are coaxed into running terminal commands or installing “required” software, unwittingly opening the door to custom malware.
Malware for Every Machine
UNC1069’s toolkit is as diverse as its targets. On Windows, victims are tricked into executing PowerShell scripts that download a stealthy RAT (Remote Access Trojan) known as Cabbage RAT-capable of disabling security, persisting at startup, and rifling through browser extensions for crypto wallets. Mac users run similar commands, only to have malware bypass Apple’s built-in defenses and install NukeSped, a North Korea-linked RAT. Even Linux systems aren’t spared, with tailored ELF binaries exfiltrating system data and establishing covert channels back to the attackers’ servers.
Behind the scenes, UNC1069 operates a sprawling web of lookalike domains and regional code-named servers, making detection a challenge for traditional security tools. Their infrastructure is dynamic, often evading blacklists by constantly cycling domain names and mimicking legitimate software or regional codes.
Staying Out of the Trap
Experts urge caution: never copy and paste commands from a web meeting, and always verify unexpected requests-especially those involving investment proposals or unfamiliar meeting links-through a trusted secondary channel. The stakes are high: a single misstep could mean not just lost assets, but direct funding for hostile state operations.
Conclusion
UNC1069’s campaign is a stark reminder that in the world of crypto, trust is a weapon-and the most lucrative targets are often those who think they’re too smart to fall for a scam. As North Korean cyber operations grow ever more sophisticated, vigilance and skepticism remain the best defense.
WIKICROOK
- Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
- Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
- Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
- PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
- Lookalike Domain: A lookalike domain is a web address that closely mimics a trusted site using subtle changes to deceive users, often for phishing or fraud.




