North Korean cybercriminals are increasingly misusing artificial intelligence to carry out sophisticated attacks on cryptocurrency platforms, according to a new alert from Google.
The tech giant’s “AI Threat Tracker” report highlights the expanding role of AI tools, including Google’s own generative AI chatbot Gemini, in enabling state-backed hackers to steal cryptoassets and support Pyongyang’s regime financially.
The Google Threat Intelligence Group (GTIG) report details how AI is being leveraged across multiple stages of cyberattacks, from research and content generation to malware development and evasion of detection.
“GTIG continues to observe IO actors utilize Gemini for research, content creation, and translation, which aligns with their previous use of Gemini to support their malicious activity. We have identified Gemini activity that indicates threat actors are soliciting the tool to help create articles or aid them in building tooling to automate portions of their workflow,” the report noted.
One prominent example involves the North Korean threat actor UNC1069, also known as MASAN or CryptoCore. The group has used Gemini to generate code intended to steal cryptocurrency and craft fraudulent instructions disguised as software updates. “We have disabled this account,” Google said, after detecting an attempt to use Gemini to create code that could have stolen users’ credentials.
AI has also enabled North Korean hackers to refine their social engineering tactics. The report cites the creation of deepfake images and video content impersonating cryptocurrency professionals, as well as AI-generated phishing messages in multiple languages, including Spanish. Another group, UNC4899 (PUKCHONG), has exploited Gemini to research vulnerabilities, improve malware tools, and target web browsers and edge devices that provide access to corporate networks.
Cybersecurity experts warn that AI misuse is not only enhancing the capabilities of highly skilled operatives but also allowing less experienced hackers to overcome technical and linguistic barriers, effectively expanding the reach and sophistication of North Korea’s cyber campaigns.
The report also highlights malware families such as PROMPTFLUX and PROMPTSTEAL, which demonstrate the direct integration of AI models into attack operations. To counter these threats, Google is collaborating with its Trust and Safety teams and developing defensive AI tools.
“We recently introduced CodeMender, an experimental AI-powered agent utilizing the advanced reasoning capabilities of our Gemini models to automatically fix critical code vulnerabilities,” the report explained.
The stakes are high. North Korean cyber actors have increasingly targeted the cryptocurrency space, which is currently valued at $3.38 trillion. Blockchain analytics firm Elliptic reported that over $2 billion has been stolen in more than thirty attacks so far this year.
Binance founder Changpeng Zhao recently warned crypto firms that North Korean hackers are posing as software professionals to infiltrate companies, while the U.S. Treasury has imposed sanctions on a North Korea-linked cyber network accused of placing IT workers inside crypto firms to divert funds to the regime’s weapons programs.
As AI tools become more powerful, experts say vigilance is critical to prevent the misuse of technology in state-backed cybercrime, particularly in high-value sectors such as cryptocurrency.
