Zerion said crypto hacking linked to North Korean operatives used AI in a long-running social engineering campaign that drained about $100,000 from its hot wallets last week.
Summary
Zerion details the incident
The wallet provider said in a post-mortem that no user funds, Zerion apps, or infrastructure were affected. Moreover, it disabled the web app as a precaution after the breach.
Although the loss was modest by industry standards, Zerion said it was another case of an AI-enabled social engineering attack tied to a DPRK-linked group. The company also said the attacker accessed some team members’ logged-in sessions, credentials, and private keys to its hot wallets.
However, the incident fits a broader pattern that now defines much of crypto security risk. North Korea-linked actors are increasingly targeting people, not code, to get inside firms.
A wider pattern across the industry
It is the second attack of this kind this month, following the $280 million exploit of Drift Protocol, which was hit by what investigators described as a structured intelligence operation by DPRK-affiliated hackers.
That said, the shift is clear: the human layer, not smart contract bugs, has become North Korea’s main entry point into crypto firms. Zerion said the method matched cases reviewed by the Security Alliance, or SEAL, last week.
SEAL said it tracked and blocked 164 domains linked to the DPRK group UNC1069 in a two-month window from February to April. The group ran multiweek, low-pressure campaigns on Telegram, LinkedIn, and Slack, often by impersonating known contacts or credible brands.
Moreover, the tactics relied on patience, precision, and the deliberate weaponization of existing trust relationships. In practice, that meant attackers could build credibility before moving to theft.
AI tools and deeper infiltration
Google’s cybersecurity unit Mandiant said in February that the group used fake Zoom meetings and AI tools to edit images or videos during the social engineering stage. The findings showed how ai enabled scams can make routine contact look authentic.
Earlier this month, MetaMask developer and security researcher Taylor Monahan said North Korean IT workers have been embedded in crypto companies and decentralized finance projects for at least seven years.
However, Elliptic said the threat goes beyond exchanges. The blockchain security firm warned that developers, project contributors, and anyone with access to cryptoasset infrastructure could be targeted.
Zerion’s case adds another warning for the sector. As attackers improve their methods, firms must treat social engineering as a core security risk, not a side issue.
