North Korean Hackers Use AI to Steal Crypto

Zerion, a cryptocurrency wallet provider, reported that DPRK-linked hackers stole approximately $100,000 from company-operated hot wallets after an AI-powered social engineering campaign compromised logged-in sessions, credentials, and private keys. Zerion confirmed that no user funds or core infrastructure were breached and temporarily disabled its web application while investigating. The operation is linked by investigators to the UNC1069 threat group and mirrors tactics seen in a recent $285,000,000 breach of Drift Protocol.

The attack chain emphasizes human-targeted vectors rather than smart-contract flaws. Evidence and third-party tracking show the attackers used a combination of:

• •patient, multiweek reconnaissance and relationship-building using Telegram, LinkedIn, and Slack to establish trust;
• •AI-generated lures, including edited images and fabricated meeting artifacts, to impersonate known contacts and brands;
• •session hijacking and credential capture to obtain access to logged-in developer or operations sessions;
• •exfiltration of private keys from hot wallets once legitimate access was achieved.

Zerion and security organizations describe the methodology as low-pressure and deliberate. The Security Alliance (SEAL) reported blocking 164 domains linked to UNC1069 between February and April. Google's Mandiant previously documented fabricated Zoom meetings and AI editing tools used to enhance plausibility. Zerion summed the operational shift succinctly: "This incident showed that AI is changing the way cyber threats work," Zerion stated.

This incident is another data point in a rapid evolution of state-affiliated cyber operations where generative AI becomes a force multiplier for social engineering. Conventional defenses focused on smart-contract auditing and on-chain monitoring do not address these human-centric entry points. The shift matters for multiple reasons: it broadens the adversary toolkit with scalable, high-fidelity impersonation; it lowers the cost and time required to run multiweek campaigns; and it increases the risk that compromised internal accounts will be leveraged to extract private keys or manipulate operational processes. The proximity of this attack to the large Drift Protocol exploit suggests DPRK actors are refining a repeatable playbook that prioritizes operational security and trust manipulation over code vulnerabilities.

Prioritize identity and session security, not only code hardening. Key mitigations include strict separation of duties, hardware-backed key management for any operational wallets, aggressive session expiration and anomaly detection, multi-factor authentication that resists SIM and token theft, and phishing-resistant device posture checks. Incident response should assume credential compromise can lead to private-key exposure, so rotate keys and audit wallet access controls after any suspicious session activity.

Expect more AI-augmented social engineering in the near term, with threat groups iterating on deepfake assets and multichannel trust-building. Watch for coordinated defensive responses from major wallet providers, stricter operational key controls, and new detection patterns focused on behavior and relationship signals rather than content alone.