Stop overpaying - start transferring money with Ogvio. Sign up, invite friends & grab Rewards now! 🎁
Google Exposes AI-Powered Malware Behind North Korea’s Crypto Attacks
Last Updated: November 07, 2025
✓ Fact Checked
Key Takeaways
- Google found that North Korean hackers are using AI tools to modify malware code and steal cryptocurrency from exchanges;
- GTIG identified five malware types that use AI models like Gemini and Qwen to create or hide harmful code while running;
- One North Korean group, UNC1069, used Gemini to gather wallet data and craft phishing emails targeting crypto workers.
Google has found that North Korean hackers are using artificial intelligence (AI) to support cryptocurrency theft.
In a recent report, the company’s Threat Intelligence Group (GTIG) explained that several malware programs rely on large language models (LLMs) to write or change code while running.
GTIG said it has observed at least five types of AI-powered malware active in current attacks.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
What is Aurora in Crypto? NEAR Protocol Token Explained (ANIMATED)
Unlike traditional malware, which contains fixed instructions, these new programs can use models like Gemini or Qwen2.5-Coder to create or hide harmful code when needed. This approach, called "just-in-time code creation", lets the malware adjust itself and avoid detection systems.
Two examples from the report, PROMPTFLUX and PROMPTSTEAL, show how attackers are combining AI with hacking operations.
PROMPTFLUX contacts the Gemini API every hour to rewrite parts of its VBScript code, while PROMPTSTEAL, linked to Russia’s APT28 group, uses the Qwen model on Hugging Face to generate Windows commands during attacks.
The report also highlights a North Korean group known as UNC1069, or Masan. According to Google, this group is known for stealing cryptocurrency through social engineering.
Investigators found that UNC1069 used Gemini to look up wallet data, write scripts that reach encrypted files, and create phishing emails in several languages aimed at crypto exchange employees.
Recently, GTIG identified a new tactic used by North Korean hackers, known as "EtherHiding". What is it? Read the full story.
Loading...
The Most Liked Crypto News Findings
Looking for more latest crypto news on related topic? We have gathered similar news articles for you to spare your time. Take a look!
![How to Transfer Money Without Fees? [Animated Tips 2025]](https://assets.bitdegree.org/youtube/crypto-finally-explained/how-to-transfer-money-without-fees-animated-tips-2025.jpg?tr=w-400 "How to Transfer Money Without Fees? [Animated Tips 2025]")
![How to Transfer Money Without Fees? [Animated Tips 2025]](https://assets.bitdegree.org/crypto/assets/video-button.png?tr=w-60 "How to Transfer Money Without Fees? [Animated Tips 2025]")
