Widely attributedUnknownUNC1069
North Korean threat actor also tracked as CryptoCore, MASAN, Dangerous Password, and Leery Turtle. Specialises in cryptocurrency exchange targeting using spear-phishing, AI-generated deepfakes, and ClickFix social engineering.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
8 mentions · 1 source"attributed to UNC1069, a financially motivated threat actor active since at least 2018"
"Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry"
"UNC1069 is known to use tools like Gemini to develop tooling, conduct operational research, and assist during the reconnaissance stages"
"GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor."
"GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since 2018."
"Analysis of the C2 infrastructure (sfrclak[.]com resolving to 142.11.206.73) revealed connections from a specific AstrillVPN node previously used by UNC1069. Additionally, adjacent infrastructure hosted on the same ASN has been historically linked to UNC1069 operation"
"identified UNC1069's transition from using AI for simple productivity gains to deploying novel AI-enabled lures in active operations"
"Analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities"
Hedge terms observed