PolySwarm describes a targeted intrusion against a cryptocurrency-sector FinTech entity attributed to UNC1069, a financially motivated threat actor assessed to have a North Korea nexus. The operation began with social engineering through a compromised Telegram account, a Calendly link to a spoofed Zoom domain, a reported deepfake video, and ClickFix instructions that executed macOS commands. The infection chain deployed WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, SILENCELIFT, DEEPBREATH, and CHROMEPUSH to establish access, download additional payloads, and collect host and browser data. DEEPBREATH abused Finder Full Disk Access to modify the TCC database and steal Keychain, Chromium browser, Telegram, and Apple Notes data, while CHROMEPUSH installed as a native messaging host disguised as a Google Docs offline extension to log keystrokes and extract credentials or cookies. The incident shows UNC1069 continuing to focus on high-value Web3 targets where credentials, session tokens, and social identities can enable cryptocurrency theft and follow-on compromise.