Google Threat Intelligence describes a cryptocurrency-sector intrusion attributed to UNC1069, a financially motivated actor suspected with high confidence to have a North Korea nexus. The operation began through a compromised Telegram account, a Calendly link, a spoofed Zoom page, and ClickFix-style troubleshooting commands that caused the victim to execute a macOS infection chain. The intrusion deployed WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, SILENCELIFT, DEEPBREATH, and CHROMEPUSH to maintain access and steal Keychain data, browser cookies and logins, Telegram data, Apple Notes, keystrokes, screenshots, and session material. Notable infrastructure included zoom[.]uswe05[.]us, mylingocoin[.]com, supportzm[.]com, zmsupport[.]com, breakdream[.]com, dreamdie[.]com, cmailer[.]pro, and support-zoom[.]us, showing a focused data-harvesting operation for cryptocurrency theft and follow-on social engineering.