Zerion's $100K Reminder: When Your New 'Friend' is Really Just After Your Private Keys

North Korean hackers have apparently leveled up their crypto-heist game. Zerion just learned this the hard way.

The DeFi platform confirmed that DPRK-affiliated hackers used AI-enabled social engineering to make off with about $100,000 from company hot wallets last week. The attackers gained access to some team members' logged-in sessions, credentials, and the private keys to Zerion's hot wallets.

No user funds, Zerion apps, or infrastructure were affected—the team proactively disabled the web app as a precaution. Small comfort when your social engineering budget apparently includes AI tools now.

"This incident showed that AI is changing the way cyber threats work," Zerion noted in its post-mortem. No kidding.

This marks the second such attack this month, following the $280 million Drift Protocol exploit. Both have the Security Alliance (SEAL) fingerprints all over them—or rather, UNC1069's fingerprints.

SEAL tracked and blocked 164 domains linked to UNC1069 in a two-month window from February to April. The group runs "multiweek, low-pressure social engineering campaigns" across Telegram, LinkedIn, and Slack, impersonating known contacts or leveraging compromised accounts.

Google's Mandiant previously detailed the group's use of fake Zoom meetings and AI tools for editing images or videos during the social engineering stage. Because apparently, catfishing wasn't sophisticated enough.

"UNC1069's social engineering methodology is defined by patience, precision, and the deliberate weaponization of existing trust relationships," SEAL reported.

The human layer—not smart contract bugs—has officially become North Korea's preferred point of entry into crypto firms. Taylor Monahan, MetaMask developer and security researcher, recently noted that North Korean IT workers have been embedding themselves in crypto companies and DeFi projects for at least seven years.

"Individual developers, project contributors, and anyone with access to cryptoasset infrastructure is a potential target," blockchain security firm Elliptic warned earlier this year.

So the next time a stranger on LinkedIn offers you a "great opportunity" or wants to " hop on a quick call," maybe verify they're not just a very patient hacker with an AI subscription.