North Korean threat actor UNC1069 has intensified its focus on the cryptocurrency and decentralized finance sectors, employing sophisticated tactics that combine malware deployment with social engineering. Mandiant's recent investigation into an intrusion at a FinTech firm attributed to UNC1069 revealed the use of seven distinct malware families, including newly identified tools like SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The attack began with a compromised Telegram account, leading to a fabricated Zoom meeting featuring a deepfake video, which was used to manipulate the victim into executing malicious commands under the guise of troubleshooting technical issues. The social engineering scheme involved creating a false sense of urgency and credibility by impersonating a known executive. Once the victim was engaged, they were directed to run commands that initiated the malware infection chain on both macOS and Windows systems. Mandiant tracked the progression of the attack from initial contact to the deployment of various backdoors, including WAVESHAPER and HYPERCALL, which facilitated further access and data harvesting. The attacker leveraged tools for operational research and reconnaissance, indicating a well-planned and resourceful approach to their operations. Data harvesting was a major objective, with tools like DEEPBREATH and CHROMEPUSH targeting sensitive information. DEEPBREATH specifically manipulates the macOS Transparency, Consent, and Control (TCC) database to access user credentials, browser history, and other critical data. The use of AI-generated content and advanced social engineering tactics reflects a significant evolution in UNC1069's methods, moving beyond simple exploits to more complex, multi-faceted attacks. This evolution underscores the ongoing risks in the cryptocurrency sector, where both startups and established firms are vulnerable to such targeted threats.