North Korean hackers exploit Zerion crypto wallet steal funds using AI social engineering attack across global digital networks

The crypto wallet platform Zerion quietly dealt with a targeted cyberattack that didn’t make headlines for the size of the loss—but for the method behind it.

About $100,000 was drained from its hot wallets in what the company now describes as a carefully planned, AI-assisted social engineering operation.

The attackers are believed to be linked to North Korea, part of a broader cluster of cyber units often tracked under DPRK-linked threat activity.

One group frequently referenced in investigations is UNC1069, known for long-running deception campaigns aimed at crypto firms.

What makes this case stand out is not just the breach itself, but how human behavior—rather than code—became the weakest point.

How the Attack Slipped Through the Human Layer

According to Zerion’s internal review, attackers didn’t break smart contracts or exploit software bugs.

Instead, they gained access through logged-in sessions, credentials, and private keys tied to company hot wallets.

In other words, they didn’t hack the system—they hacked trust.

The company confirmed that no user funds were affected, and neither its apps nor core infrastructure were compromised.

As a precaution, it temporarily disabled its web application while investigating.

Even though the stolen amount was relatively small compared to major crypto exploits, the method raised alarms across the industry.

AI is Quietly Changing Social Engineering Attacks

Zerion’s team said the operation reflects a shift in cybercrime tactics, where artificial intelligence is increasingly used to refine deception.

The attackers reportedly ran a long-term social engineering campaign, impersonating trusted contacts and building credibility over time before striking.

Similar techniques have been documented by cybersecurity researchers at the Security Alliance, which recently tracked dozens of malicious domains tied to DPRK-linked operations.

These campaigns often unfold slowly across platforms like Telegram, LinkedIn, and Slack, where attackers pose as colleagues, recruiters, or partners to gain access.

The strategy is simple but effective: don’t rush the victim—wait until trust is fully built.

Suggested Readings (News continues below)

Chibuzor Chinyere sparks debate over marriage plan for autistic daughter in Port Harcourt Nigeria

UK report reveals tourists avoid swimming at Scarborough South Bay as pollution spoils beach waters across North Yorkshire coastline

Regulator forces AA Driving School and BSM to refund thousands of learner drivers after hidden booking fee scandal across United Kingdom

X launches smart cashtag feature on iPhone across United States and Canada to transform trading experience

A Pattern Security Experts Have Been Warning About

This is not an isolated case. Earlier in the same period, a much larger incident involving the Drift Protocol reportedly resulted in losses of around $280 million, also attributed to DPRK-linked attackers using structured social engineering rather than smart contract flaws.

Security researchers have warned that this shift is intentional.

Instead of attacking blockchain code, hackers are increasingly targeting people who hold access keys.

Cybersecurity teams at Mandiant previously reported that some attackers even used fake Zoom meetings and AI-edited media to appear more legitimate during impersonation attempts.

Meanwhile, researchers at Elliptic have noted that North Korean-linked groups have spent years refining infiltration tactics, sometimes embedding operatives directly into crypto-related companies.

The Human Weak Link Becomes the Main Target

Security experts like Taylor Monahan have repeatedly warned that North Korean IT operatives have been infiltrating crypto firms for years, sometimes posing as remote developers or freelancers.

The concern is that AI tools now make these impersonations harder to detect.

Deepfake-style video calls, polished fake resumes, and automated conversation scripts can make fraudulent identities feel real enough to pass casual scrutiny.

In this environment, even experienced teams can struggle to distinguish legitimate colleagues from carefully constructed fake personas.

Impact and Consequences

The Zerion incident highlights a shift in crypto crime strategy.

Instead of relying on technical vulnerabilities, attackers are focusing on psychological manipulation powered by AI tools.

For companies, the biggest consequence is clear: security can no longer be treated as purely technical.

Human access points—logins, chats, onboarding processes—have become critical attack surfaces.

It also raises broader concerns about the scalability of these attacks.

If AI reduces the cost and effort needed for convincing impersonation, more teams across Web3, DeFi, and centralized exchanges could become targets.

For users, the reassurance is that Zerion reported no customer funds were affected.

But the industry-wide signal is less comforting: the next wave of crypto attacks may look more like espionage than hacking.

What’s Next

Expect tighter security protocols across crypto companies, especially around identity verification and internal communications.

Firms are likely to increase monitoring of onboarding processes, require multi-channel identity checks, and adopt stricter controls for wallet access.

At the same time, cybersecurity teams will continue tracking DPRK-linked campaigns, especially those associated with long-term infiltration patterns like UNC1069-style operations.

There is also growing pressure for AI detection tools to become part of standard cybersecurity stacks, especially as impersonation techniques become more advanced and harder to detect manually.

Summary

The Zerion breach wasn’t about code failure—it was about human trust being manipulated with the help of AI tools.

While the financial loss was relatively small, the method signals a bigger shift in how crypto attacks are evolving.

Instead of breaking systems, attackers are increasingly breaking people.

Bulleted Takeaways

• Zerion lost about $100,000 in a targeted AI-assisted social engineering attack
• No user funds, apps, or core infrastructure were affected
• Attackers are believed to be linked to DPRK cyber operations, including UNC1069
• The breach relied on stolen credentials, session access, and hot wallet keys
• Security researchers say AI is accelerating impersonation-based crypto scams
• Groups tracked by Security Alliance and Mandiant have used fake identities and meetings
• Similar social engineering tactics have been linked to much larger crypto thefts like Drift Protocol
• Experts warn the “human layer” is now the primary vulnerability in crypto security
• Future defenses will likely focus on identity verification, AI detection, and access controls