Crypto wallet provider Zerion says a North Korea–linked hacking group employed AI-driven social engineering to siphon roughly $100,000 from company hot wallets last week. In a Wednesday post‑mortem, Zerion said no user funds, dApps, or core infrastructure were compromised and that it had taken its web app offline as a precaution. The company characterized the incident as an “AI-enabled social engineering attack linked to a DPRK threat actor.”
This episode follows a larger breach earlier this month — the $280 million exploit of Drift Protocol — which investigators have also tied to DPRK-affiliated actors. Security researchers warn that attackers are increasingly targeting people (employees, contributors, and contractors) rather than relying solely on smart contract vulnerabilities.
According to Zerion, the intruders gained access to active sessions, credentials, and private keys for some team hot wallets. The company said the incident highlights how artificial intelligence is changing the threat landscape and noted similarities with cases recently investigated by the Security Alliance (SEAL).
SEAL has reported tracking and blocking 164 domains linked to a DPRK-associated group known as UNC1069 between February and April. That group reportedly conducts multiweek, low-pressure social engineering campaigns across platforms such as Telegram, LinkedIn, and Slack. Tactics include impersonating trusted contacts or well-known brands and leveraging previously compromised accounts to build credibility over time.
Previous reporting from Google’s Mandiant described the group’s use of staged Zoom meetings and noted instances where actors used AI tools to manipulate images or video as part of their deception. Observers say the DPRK’s social engineering capabilities have matured over several years; some industry figures, including MetaMask developer and researcher Taylor Monahan, have warned that North Korean IT personnel have been embedded in crypto projects for years.
Blockchain security firm Elliptic cautions that the combination of sophisticated social engineering and accessible AI tools expands the threat beyond exchanges: individual developers, project contributors, and anyone with privileged access to crypto infrastructure can be targeted.
Cointelegraph reports independently and encourages readers to verify details with primary sources. The publication follows its Editorial Policy and advises readers to consult it for more information.