Sapphire Sleet / UNC1069
Summary
Sapphire Sleet (Microsoft designation) / UNC1069 (Google Mandiant designation) is a North Korean state-sponsored advanced persistent threat group assessed to operate under the Reconnaissance General Bureau, active since at least 2018. The group is financially motivated and primarily targets cryptocurrency exchanges, DeFi platforms, venture capital funds, wallet providers, and software developers. On March 31, 2026, the group executed a supply chain compromise of the axios npm package — which receives over 100 million weekly downloads — deploying the WAVESHAPER.V2 cross-platform remote access trojan to approximately 600,000 installations during a three-hour exposure window.
Connected Entities
1 entities · 10 linked investigations- + 2 more
Timeline(12 events)
2018-04-01
UNC1069 becomes active (earliest tracked date per Google Mandiant), focusing on cryptocurrency exchanges in the United States and Japan.
Tenable FAQ on UNC1069 axios attack2020-06-01
ClearSky publishes CryptoCore report tracking the group's estimated $200 million minimum theft from cryptocurrency exchanges since 2018.
The Hacker News — Google Attributes Axios npm Supply Chain Attack to UNC10692020-03-01
Microsoft begins tracking the threat cluster as Sapphire Sleet, identifying it as a North Korean nation-state actor targeting the cryptocurrency sector.
Microsoft Security Blog — Mitigating the Axios npm supply chain compromise2024-11-22
Microsoft presents at CYBERWARCON noting Sapphire Sleet stole over $10 million in cryptocurrency from multiple companies over a six-month window, using fake VC and recruiter social engineering lures.
Microsoft Security Blog — CYBERWARCON threat intelligence2025-10-01
Concurrent DPRK-linked group (UNC4736 / Citrine Sleet) begins six-month social engineering operation against Drift Protocol Security Council members, posing as a quantitative trading firm at a major crypto conference.
The Hacker News — Drift $285M DPRK nonce attack2026-02-01
Google Threat Intelligence publishes report documenting UNC1069's deployment of AI-generated deepfakes, fake Zoom and Teams meetings, ClickFix infection vectors, and a seven-family malware arsenal including WAVESHAPER, HYPERCALL, and SILENCELIFT.
The Hacker News — North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations2026-03-30
Attacker publishes clean decoy package plain-crypto-js@4.2.0 to the npm registry at 05:57 UTC. Malicious plain-crypto-js@4.2.1 published at 23:59 UTC.
Tenable FAQ on UNC1069 axios attack2026-03-31
axios@1.14.1 published at 00:21 UTC and axios@0.30.4 at approximately 01:00 UTC with WAVESHAPER.V2 payload. Socket.dev detects the compromise at 00:05 UTC (approximately 6 minutes after plain-crypto-js@4.2.1 publication). Both malicious axios versions removed from npm registry at approximately 03:15 UTC. Approximately 600,000 installations occur during the roughly 3-hour exposure window.
CISA Alert; SANS Emergency Briefing; Tenable FAQ2026-04-01
Microsoft publishes initial attribution blog post identifying Sapphire Sleet as the threat actor behind the axios compromise. Drift Protocol loses $285 million in a separate DPRK-linked durable nonce attack attributed to UNC4736/Citrine Sleet.
Microsoft Security Blog; The Hacker News2026-04-02
Google Mandiant confirms attribution of axios attack to UNC1069, publishing technical details and infrastructure overlaps linking the operation to prior UNC1069 WAVESHAPER deployments via AstrillVPN node.
SANS Emergency Briefing2026-04-16
Microsoft publishes a follow-on technical post dissecting Sapphire Sleet's macOS intrusion chain, covering credential theft and elevation of privilege techniques.
Microsoft Security Blog — Dissecting Sapphire Sleet's macOS intrusion2026-04-20
CISA publishes formal alert on the axios npm supply chain compromise with technical IOCs, affected version list, safe downgrade targets, and mitigation guidance.
CISA AlertDecision Log
- hash: 3R2MZqYakLhNonkDCWpoekXkn2Stg4dhk3KjmL2MgKjP
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-code-investigator
generated: 6/19/2026, 11:05:13 PM
last updated: 6/19/2026, 11:05:25 PM
avoid.net — verified advice for a post-truth world