Zerion hit by AI-enabled social engineering as North Korean hackers target human layer

North Korean hackers are increasingly bypassing high-tech security barriers by weaponizing artificial intelligence to manipulate the employees behind the code.

Zerion, a popular crypto wallet provider, confirmed on Wednesday that a long-term social engineering campaign linked to the DPRK successfully breached its systems last week. 

While the hackers walked away with roughly $100,000 from the company’s hot wallets, the breach serves as a stark warning about the rising sophistication of “AI-enabled” identity theft within the digital asset industry.

The company reported that the attackers managed to hijack active login sessions and credentials belonging to team members, eventually gaining access to private keys. 

Despite the intrusion, Zerion’s internal post-mortem verified that user funds and core infrastructure remained untouched, though the web app was briefly taken offline as a preventative measure. 

This incident follows a much larger $280 million exploit of Drift Protocol earlier this month, which security analysts described as a “structured intelligence operation” rather than a simple technical bug.

The Security Alliance (SEAL) recently highlighted the scale of this threat after tracking and blocking 164 domains linked to the North Korean group UNC1069. 

Their findings suggest the group specializes in “multiweek, low-pressure social engineering campaigns” conducted across platforms like Slack, Telegram, and LinkedIn. 

By impersonating trusted colleagues or established brands, these actors slowly erode the targets’ defenses before deploying malicious payloads.

“UNC1069’s social engineering methodology is defined by patience, precision, and the deliberate weaponization of existing trust relationships,” SEAL noted in its investigation.

This methodical approach is now being bolstered by generative tools. Google’s Mandiant unit previously identified the use of AI to create deepfake images and videos, allowing hackers to pose as legitimate participants in Zoom meetings. 

The goal is to move past traditional phishing and create a digital environment where a victim has no reason to doubt the person on the other side of the screen.

MetaMask developer Taylor Monahan recently pointed out that this isn’t a new phenomenon, but rather the perfection of a decades-long strategy. 

North Korean IT workers have been quietly integrating themselves into decentralized finance projects and crypto firms for at least seven years, often operating as legitimate contributors.

The blockchain security firm Elliptic explained in a recent analysis that the risk profile for the industry has fundamentally changed. 

“The evolution of the DPRK’s social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges,” the firm stated. 

Individual developers and any staffer with access to internal infrastructure are now viewed as primary entry points for state-sponsored theft, the researcher added.