North Korean Hackers Hit Zerion With AI Social Engineering Attack
Iris Coleman Apr 15, 2026 07:10
Zerion confirms $100K stolen in DPRK-linked hack using AI-powered social engineering, marking second major North Korean crypto attack this month after $285M Drift exploit.
Crypto wallet provider Zerion disclosed Wednesday that North Korean-affiliated hackers stole approximately $100,000 from company hot wallets using AI-enhanced social engineering tactics—the second DPRK-linked attack on a crypto firm in two weeks.
No user funds were compromised, Zerion confirmed in its post-mortem. The company proactively disabled its web app as a precaution after discovering attackers had gained access to team members' logged-in sessions, credentials, and private keys.
The Human Layer Is Now the Attack Surface
The breach follows a pattern that's becoming disturbingly familiar. On April 1, the Drift Protocol lost $285 million in what investigators later traced to a six-month DPRK operation that began in fall 2025. Both attacks bypassed smart contract security entirely, targeting employees instead.
"This incident showed that AI is changing the way cyber threats work," Zerion stated.
The Security Alliance (SEAL) confirmed the attack matches tactics they've been tracking. Between February and April, SEAL blocked 164 domains linked to UNC1069, a DPRK hacking group running what they describe as "multiweek, low-pressure social engineering campaigns" across Telegram, LinkedIn, and Slack.
The group's methodology relies on patience. Attackers impersonate known contacts or credible brands, sometimes leveraging access to previously compromised accounts to build trust over weeks before striking.
AI Tools Supercharging Traditional Tactics
Google's Mandiant cybersecurity unit documented UNC1069's use of fake Zoom meetings back in February, noting the group's "known use of AI tools for editing images or videos during the social engineering stage." The implication: deepfakes and AI-generated content are now standard tools in state-sponsored crypto heists.
MetaMask security researcher Taylor Monahan warned earlier this month that North Korean IT workers have been embedding themselves in crypto companies and DeFi projects for at least seven years. They're not just hacking from outside—they're getting hired.
"The evolution of the DPRK's social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges," blockchain security firm Elliptic noted. "Individual developers, project contributors, and anyone with access to cryptoasset infrastructure is a potential target."
A Billion-Dollar Operation
North Korea's crypto theft operation has evolved into one of the regime's primary revenue streams. The Lazarus Group—DPRK's main hacking unit—has been linked to the $620 million Ronin Network hack in 2022, the $100 million Harmony bridge exploit, and the record-breaking $1.5 billion Bybit theft in February 2025.
The Zerion breach, while relatively small at $100,000, demonstrates that no target is too minor. The real concern for the industry isn't the dollar amount—it's the sophistication. When AI-powered social engineering can compromise internal credentials at well-funded crypto firms, the security model built around code audits and bug bounties starts looking incomplete.
Crypto companies should expect these attacks to accelerate. SEAL's 164 blocked domains in two months suggests an industrial-scale operation, and the AI tools making these campaigns more convincing are only getting better.
Image source: Shutterstock- north korea
- zerion
- crypto security
- ai hacking
- social engineering
