Crypto wallet Zerion revealed that North Korean-affiliated hackers used AI in a long-term social engineering attack to steal about $100,000 from the company’s hot wallets last week. 

The Zerion team released a post-mortem on Wednesday, where it confirmed that no user funds, Zerion apps or infrastructure were affected and that it had proactively disabled the web app as a precaution. 

While the amount was relatively small in crypto hacking terms, it is another incident of a crypto worker being targeted for an “AI-enabled social engineering attack linked to a DPRK threat actor,” Zerion said.

It is the second attack of this nature this month, following the $280 million exploit of the Drift Protocol, which was the victim of a “structured intelligence operation” by DPRK-affiliated hackers. The human layer, not smart contract bugs, has now become North Korea’s primary point of entry into crypto firms.  

AI is changing the way cyber threats work

Zerion said the attacker gained access to some team members’ logged-in sessions and credentials, as well as private keys to company hot wallets. 

“This incident showed that AI is changing the way cyber threats work,” the company said. 

It confirmed that the attack was similar to those that had been investigated by the Security Alliance (SEAL) last week.

SEAL reported that it had tracked and blocked 164 domains linked to the DPRK group UNC1069 in a two-month window from February to April.

It stated that the group operates “multiweek, low-pressure social engineering campaigns” across Telegram, LinkedIn and Slack. Malicious actors impersonate known contacts or credible brands or leverage access to previously compromised company and individual accounts.

“UNC1069’s social engineering methodology is defined by patience, precision, and the deliberate weaponization of existing trust relationships.”

Google’s cybersecurity unit Mandiant detailed in February the group’s use of fake Zoom meetings and a “known use of AI tools by the threat actor for editing images or videos during the social engineering stage.”

DPRK’s social engineering is evolving

Earlier this month, MetaMask developer and security researcher Taylor Monahan said North Korean IT workers have been embedding themselves in crypto companies and decentralized finance projects for at least seven years.

“The evolution of the DPRK’s social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges,” blockchain security firm Elliptic said in a blog post earlier this year. 

“Individual developers, project contributors, and anyone with access to cryptoasset infrastructure is a potential target.”