GTIG: A new phase of LLM attacks targeting cryptocurrencies by North Korea, using PROMPTFLUX and PROMPTSTEAL directly at runtime without recompilation, as well as expanding BIGMACHO delivery methods that compromise crypto wallets.
More about the rapid growth of the AI-driven hacker ecosystem and the threats facing the cryptocurrency industry
GTIG AI threat tracking tool Highlights Key indicators that adversaries have moved from purely “productive” use of AI to code execution relying on LLMs at runtime, opening up a class of autonomous adaptive malware where logic is loaded from the model rather than pre-embedded. They registered the first families that generate custom scripts and functions, mask themselves, and change behavior at runtime – PROMPPTFLUX and Quick theft.
PROMPPTFLUX It shows the dependence of running time on LLMs. The VBScript dropper requests obfuscation techniques via the Gemini API and saves the rewritten version in Startup, and also attempts to deploy via removable media and network shares. A “Thinking Robot” module was found to periodically query “gemini-1.5-flash-latest” with an encrypted key and a machine-parseable vector that requires only VBScript code to evade antivirus; Responses are recorded %TEMP%\thinking_robot_log.txt. There is a variant with full resource renewal every hour while maintaining the payload, API key and self-renewal logic.
Quick theft It has already been used in operations. The malware masquerades as an image creation application and, via the Hugging Face API, requests one-line Windows commands from LLM Qwen2.5-Coder-32B-Instruct to collect system information and copy documents to a specified directory with subsequent filtering. This is the first recorded case of malware querying an LLM in this field; Stolen API tokens were likely used. New samples add noise and change C2.
The massive liquidity during the adoption of cryptocurrencies makes it a prime target
The UNC1069 group has become critical, using Gemini to research cryptocurrencies and wallet app data location, generating cryptocurrency lures and accompanying messages, including Spanish-language texts to reschedule meetings and work-related pretexts. In later stages, this turns into attempts to obtain code to steal cryptocurrencies and prepare fraudulent code disguised as software updates to extract credentials.
In a similar vein, there is the use of deepfakes impersonating personalities in the cryptocurrency industry: where the victim is led to install a fake “Zoom SDK,” and then… Pigmacho The back door is delivered to the system. North Korean group UNC4899 stood out here, as it also leveraged Gemini for development and operations, including assistance with C2 and obfuscation, and extending the tools to modern terminals and browsers.
The key point is that this is no longer just an experiment with new technology, but an entire ecosystem of methods and tools. The market for covert AI services is growing very rapidly: forums in English and Russian offer multifunctional tools for phishing, creating malware, and detecting vulnerabilities. The monetization model copies legitimate services – from freemium with ads to paid plans with image creation, API access, and Discord. All of this significantly lowers the barrier to entry and expands campaigns without requiring a high technical level of operators.
The priority of system security is as high as ever
As the adoption of cryptocurrencies advances so rapidly and attracts huge capital, it becomes a much more attractive target for attackers, who directly target money rather than data, for whom monetization is a separate step. Therefore, attackers improve their methods and tools here as well, looking for the most efficient path to reach the main target, which is money. This is another very high signal for all companies to raise the priority of security like never before, and for security teams to improve their solutions to not only ensure long-term viability but also to ensure Web3 resiliency. Stay tuned for the latest updates and opportunities at Decentralized finance, Crypto industryand Blockchain developments.
