Crypto wallet provider Zerion has confirmed that North Korean-linked threat actors stole approximately $100,000 from internal company hot wallets after compromising a team member’s device through an AI-assisted social engineering campaign. The company disclosed the incident on April 14, 2026, stating that no user funds, applications, or backend infrastructure were affected. The breach is the second confirmed DPRK-linked social engineering attack on a crypto firm this month, following the $285 million Drift Protocol operation disclosed earlier in April.
How the Attack Unfolded
According to Zerion’s post-mortem, attackers linked to North Korean group UNC1069 conducted a sustained, low-pressure social engineering campaign that successfully compromised a team member’s active logged-in sessions and credentials. The attackers then used that access to extract private keys from several company-controlled hot wallets used for internal testing and operations. Zerion characterized the operation as clearly premeditated, describing the perpetrators as “sophisticated and well-resourced” and confirming the methodology matched attacks previously investigated by the Security Alliance (SEAL).
The campaign relied heavily on AI-generated content to craft convincing impersonations across platforms including Telegram, LinkedIn, and Slack. SEAL, which has been tracking UNC1069 since February 2026, identified 164 malicious domains linked to the group during a two-month window. Researchers describe the group’s standard playbook as multiweek infiltration operations designed to erode targets’ defenses gradually before executing credential theft or malware deployment.
Response and Containment
Upon detecting anomalous activity on April 11, Zerion placed its web application in maintenance mode to prevent any possibility of malicious code being deployed to company domains. The team rotated all exposed credentials and private keys, reconfigured multisig accounts, and ran malware detection scripts across team devices. Zerion worked with security firms Blockaid, ZeroShadow, and ChainPatrol to identify and flag the attacker’s wallets and accounts. Stolen funds were traced to specific addresses and reported to relevant authorities.
Zerion’s self-custodial wallet architecture limited the blast radius significantly — because the platform does not hold user private keys, the breach was contained to company-operated internal accounts. Mobile applications, browser extensions, external API services, and all social media accounts remained unaffected throughout the incident.
A Sharpening Pattern in DPRK Crypto Operations
The Zerion breach fits squarely into a documented strategic shift by North Korean threat actors, who have increasingly moved away from smart contract exploits and technical vulnerabilities toward targeting the humans with access to crypto infrastructure. MetaMask security researcher Taylor Monahan has noted that North Korean IT workers have been quietly embedding themselves inside crypto and DeFi projects for at least seven years. Blockchain intelligence firm Elliptic warned earlier this year that the expanding use of AI to generate deepfakes and highly convincing impersonations means that any individual with access to crypto infrastructure — not just exchanges or large institutions — should consider themselves a potential target.
The $100,000 loss is modest relative to the scale of other recent DPRK operations, but the method is the story. North Korea’s state-linked hacking apparatus is actively industrializing AI-assisted social engineering against the crypto sector, and the Zerion incident shows it works even against security-aware teams at established firms.
