North Korean Hackers Weaponized AI for Social Engineering Heist at Zerion CATEGORY: Industry News

Crypto wallet firm Zerion admitted this week that North Korean-adjacent hackers deployed AI in a slow-burn social engineering operation that walked away with roughly $100,000 from the company's hot wallets. The Zerion squad dropped a post-mortem on Wednesday, confirming zero user funds, Zerion apps, or infrastructure took a hit, and that they yanked the web app offline preemptively. While the loot was pocket change by crypto hacking standards, the company flagged that the incident proves AI is rewriting the cyber threat playbook for the industry. This is the second such incident this month, following the Drift Protocol's $280 million gut punch, which researchers also blamed on a "structured intelligence operation" by DPRK-adjacent hackers.

The Security Alliance (SEAL) said it tracked and blocked 164 domains tied to DPRK's UNC1069 crew over a two-month window from February through April. The group runs "multiweek, low-pressure social engineering campaigns" on Telegram, LinkedIn, and Slack, with bad actors pretending to be known contacts or trustworthy brands, or exploiting access to already-compromised company and individual accounts. "UNC1069's social engineering methodology is defined by patience, precision, and the deliberate weaponization of existing trust relationships," SEAL observed. Google's cybersecurity division Mandiant laid out in February how the group deploys fake Zoom meetings and has been caught using AI tools to edit images or videos during the social engineering phase—which is a neat way of saying "AI is now in the fraud toolkit."

Blockchain security outfit Elliptic flagged earlier this year that the threat reaches well beyond exchanges to individual developers, project contributors, and anyone sitting near cryptoasset infrastructure. MetaMask developer and security researcher Taylor Monahan pointed out that North Korean IT workers have been burrowing into crypto companies and DeFi projects for at least seven years now. The human layer—not rugged smart contract code—has become North Korea's preferred gateway into crypto firms. Zerion confirmed the attack pattern matched the campaigns SEAL investigated last week, with the attacker snagging access to some team members' logged-in sessions and credentials, plus private keys to company hot wallets.