Cardano Deepfake Attack Linked to DPRK Crypto Hackers Targeting Devs

The Cardano deepfake attack that hit ecosystem developer Big Pey this week was not a one-off. It was a template. Big Pey, a contributor recognized by Charles Hoskinson himself, says he believes his laptop was compromised after he joined what looked like a routine video call with a Cardano Foundation contact named Pierre. Familiar face. Familiar voice. Multiple participants on screen. All of it fake. Within hours of his disclosure on X, near-identical stories started rolling in from across the industry, and the picture they painted was uglier than a single bad meeting.

How the Cardano Deepfake Attack on Big Pey Unfolded

Big Pey had spoken with the real Pierre before. So when a meeting got booked, nothing looked off. He joined, the call rendered cleanly, the people on the other side moved and sounded like the people he expected, and the conversation drifted toward a familiar pain point. His Microsoft Teams client was, supposedly, out of date. The fix was a short list of terminal commands. He started running them.

Then his battery died. That mundane piece of hardware bad luck may have been the only thing standing between his keys and a clean drain. The Cardano deepfake attack disclosure he posted to X reads less like a postmortem and more like a warning shot. “Trust nothing, trust no one,” he wrote. “AI is making scamming more sophisticated, and as someone who is quite technical savvy, I just got cooked.”

That admission matters. Big Pey is not a mark you would expect this kind of operation to land on. He builds. He ships. He knows what a phishing prompt looks like. The fact that he started typing the commands at all is the part of this story that should keep every Cardano builder up tonight.

Moral of the story, be careful. Trust nothing, trust no one. AI is making scamming more sophisticated, and as someone who is quite technical savvy, I just got cooked.

Other Targets Surface Within Hours

The replies to Big Pey’s thread turned into a list of near-misses. CashAnvil, a Cardano constitutional delegate and agency CEO, said the fake Pierre had pitched the exact same workflow at him, complete with the Teams link. CashAnvil only spotted the swap because the impersonator never asked for a LinkedIn connection, which is something the real Pierre would have done first.

Zac Zou, co-founder of crypto market maker DWF Labs, revealed the same actor had booked a call with him in the same week. His colleague Alessia Baumgar, a VP at the firm, posted screenshots of suspicious Telegram chats from the impersonator account. When she asked the fake Pierre directly whether he had been hacked, the messages got deleted on the spot.

That is the tell. Real people answer awkward questions. Compromised accounts wipe the room and walk away. Across each report the playbook stayed the same: trusted name, scheduled meeting, rendered video, software-update pretext, terminal command, payload.

• Big Pey, Cardano ecosystem dev, started running the install commands before his battery cut out
• CashAnvil, Cardano constitutional delegate, caught the swap because the fake Pierre skipped the LinkedIn step
• Zac Zou, DWF Labs co-founder, had a call already on the calendar with the same actor
• Alessia Baumgar, DWF Labs VP, watched the impersonator delete the chat history once challenged

Who Is Behind the UNC1069 Cluster?

The Security Alliance, known as SEAL, named the campaign fast. Its researchers tied the fake Microsoft Teams and Zoom meetings to a known DPRK crypto hackers cluster operating under the UNC1069 designation. SEAL also released 164 indicators of compromise, granular intel that lets defenders block the infrastructure before the next deepfake call ever lands on a target.

UNC1069 is not new. North Korean operators have been pivoting from straightforward credential phishing to fully produced video calls for over a year now, and the production quality keeps creeping up. The deepfake video, the synthesized voice, the participant list seeded with familiar names, all of it stitched together in real time. Static training data on what a scam looks like is no longer enough.

MetaMask security lead Taylor Monahan has been raising the alarm on this exact pattern for months. Her guidance for anyone who suspects exposure is brutal in its simplicity: yank the machine off the internet, power it down, and treat it as burned. From there, only a separate mobile device should be used to move funds to fresh storage, rotate every password and access key, and the compromised hardware needs to be wiped before it ever touches a wallet again.

DPRK threat actors are still rekting way too many of you via their fake Zoom and fake Teams meets. They’re taking over your Telegrams, then using them to rekt all your friends. They’ve stolen over $300m via this method already.

What Do the Q1 2026 Numbers Say?

The damage is no longer theoretical. Blockchain security firm Hacken pegged Web3 hack losses Q1 2026 at roughly $465 million, with phishing and social engineering alone accounting for $306 million, or close to 66% of the quarterly carnage. That is a single category of attack, run mostly by humans on the other end of a chat or a call, doing more damage than smart-contract exploits and protocol bugs combined.

Zoom out and the picture gets worse. The FBI’s IC3 division logged a record $20.9 billion in total internet fraud losses across 2025, and for the first time it broke out AI crypto scam losses as their own line. That figure came in at $893 million in its first tracked year, which means the category went from invisible to nearly a billion dollars in a single reporting cycle. Investment fraud overall topped $8.6 billion.

Read those two numbers together and the conclusion writes itself. The cheapest part of the attack chain is now the part that used to be the most expensive. Spinning up a convincing fake of a real person used to take a film crew. Now it takes a laptop, an open-source model, and a few minutes of training footage scraped from a podcast appearance.

Why Builders Are Especially Exposed

The cynical read on this wave is that crypto builders are the perfect victims. They are technical enough to be trusted with admin rights, busy enough to skip a verification step, and reachable on five different platforms by anyone who knows their handle. They install dev tools all day. A terminal command from a familiar face does not feel like a red flag. It feels like a Tuesday.

Worse, the social graph in this industry is small and public. Anyone scraping X, Telegram, and conference photo dumps can map out who knows who, who works with who, and who would naturally call who. That is the ammunition feeding the deepfake cluster. Big Pey’s mistake was not stupidity. It was operating in an industry whose connective tissue has been turned into a target package.

Defensive habits have to catch up fast. That means voice-channel callbacks before any screen share that involves software installs, hardware-wallet-only signing on machines that never see a meeting link, and a flat refusal to run terminal commands shared inside a video call regardless of who appears on the other side. None of that is convenient. Convenience is what got us here.

• Verify any meeting that requests software installs through a separate channel before you join
• Keep a clean signing machine that never opens calendar invites or Telegram links
• Treat every terminal command pasted in a chat as hostile until proven otherwise
• Rotate access keys on a fixed schedule, not only after something feels off

What Cardano and the Wider Industry Do Next

The Cardano Foundation has not yet issued a formal advisory, but the chain reaction across constitutional delegates and ecosystem leads will force one. Several of those named in this round, including CashAnvil, are part of the on-chain governance fabric. If a deepfake operation can social-engineer a delegate, the blast radius extends past one developer’s laptop into the credibility of the governance process itself.

Across the industry, expect more security firms to publish their own indicator-of-compromise lists in the coming weeks. SEAL’s 164-IoC drop sets a useful precedent, and Hacken’s Q1 numbers give policy people a hard figure to point at when they argue for mandatory security training inside funded protocols. The FBI’s $893 million AI-fraud line is the kind of statistic that ends up in congressional hearings.

The uncomfortable part is what nobody can fix with a checklist. Trust between people who have actually met is the substrate this industry runs on, and that substrate is exactly what UNC1069 is targeting. You can patch software. You cannot patch the assumption that the face on your screen is the person you think it is.

This article is for informational purposes only and does not constitute investment advice. Every investment and trading decision involves risk. Readers should conduct their own research before making any financial decisions.