North Korean Hackers Use AI Social Engineering in $100,000 Crypto Attack on Zerion

North Korea Used AI to Hack Zerion in Second Crypto Attack

It is the second long-term social-engineering attack this month, after the $280 million exploit of the Drift Protocol. Crypto wallet Zerion revealed that North Korean-affiliated hackers used AI in a long-term social engineering attack to steal about $100,000 from the company's hot wallets last week. The Zerion team released a post-mortem on Wednesday, where it confirmed that no user funds, Zerion apps or infrastructure were affected and that it had proactively disabled the web app as a precaution. While the amount was relatively small in crypto hacking terms, it is another incident of a crypto worker being targeted for an "AI-enabled social engineering attack linked to a DPRK threat actor," Zerion said. It is the second attack of this nature this month, following the $280 million exploit of the Drift Protocol, which was the victim of a "structured intelligence operation" by DPRK-affiliated hackers. The human layer, not smart contract bugs, has now become North Korea's primary point of entry into crypto firms. Zerion said the attacker gained access to some team members' logged-in sessions and credentials, as well as private keys to company hot wallets. "This incident showed that AI is changing the way cyber threats work," the company said. It confirmed that the attack was similar to those that had been investigated by the Security Alliance (SEAL) last week. Related: Researchers discover malicious AI agent routers that can steal crypto SEAL reported that it had tracked and blocked 164 domains linked to the DPRK group UNC1069 in a two-month window from February to April. It stated that the group operates "multiweek, low-pressure social engineering campaigns" across Telegram, LinkedIn and Slack. Malicious actors impersonate known contacts or credible brands or leverage access to previously compromised company and individual accounts. "UNC1069's social engineering methodology is defined by patience, precision, and the deliberate weaponization of existing trust relationships." Google's cybersecurity unit Mandiant detailed in February the group's use of fake Zoom meetings and a "known use of AI tools by the threat actor for editing images or videos during the social engineering stage." Earlier this month, MetaMask developer and security researcher Taylor Monahan said North Korean IT workers have been embedding themselves in crypto companies and decentralized finance projects for at least seven years. "The evolution of the DPRK's social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges," blockchain security firm Elliptic said in a blog post earlier this year. "Individual developers, project contributors, and anyone with access to cryptoasset infrastructure is a potential target."

Zerion Links Crypto Attack to North Korean Hackers Using AI Tactics

Zerion plans stronger authentication and security training The Zerion team released a post-mortem report on Wednesday, claiming that North Korean-affiliated hackers were using AI-enabled social engineering in a cyberattack. Hackers stole around $100,000 (roughly Rs. 93.4 lakh) from the company's hot wallets last week. It was later confirmed that no user funds, Zerion apps or infrastructure were affected and that the company had disabled the web app as a precautionary move. Zerion further added that the attacker gained access to some team members' logged-in sessions and credentials, as well as private keys to company hot wallets. Report Highlights Growing Use of AI in Cyberattacks The firm stated that the attack was similar to those that had been investigated by the Security Alliance last week. Between February and April, the nonprofit Security Alliance (SEAL) reported that it had tracked and blocked over 164 domains linked to the DPRK group UNC1069. It was also mentioned in the report that the group operates "multiweek, low-pressure social engineering campaigns" across Telegram, LinkedIn and Slack. Malicious people impersonate trusted brands or known contacts, or they use access to company and individual accounts that have already been hacked. In a post on X, Zerion addressed this issue and gave a glimpse of how the road looked ahead. The crypto wallet said, "This incident showed that AI is changing the way cyber threats work. We are taking steps to further strengthen Zerion's security," The firm added in the post that they will be strengthening internal policies for using credentials and authentication. The Web app will be restored in the next 48 hours. The team will be investing in team security training and working to accelerate security compliance. Last week, security researcher Taylor Manonan claimed that North Korean IT workers have been infiltrating DeFi platforms for the past 7 years. This includes the Drift Protocol hack as well, which disclosed a $280 million (roughly Rs. 2,600 crore) exploit, which also had a DPRK group behind it. Drift Protocol explained that this was not a typical hack, but a months-long, highly coordinated social engineering operation. In a blog post earlier this year, blockchain security firm Elliptic also stated that "The evolution of the DPRK's social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges." This incident reflects how cyber threats in the crypto ecosystem are evolving with the help of AI, which are making attacks more targeted and harder to detect. Cases like Zerion wallet and Drift protocol serve as an example that even established platforms are not immune to cyber threats, and hence, it reinforces the need for stringent security across the crypto landscape.