North Korea Used AI to Hack Zerion in Second Crypto Attack

The claim that North Korea used AI to hack Zerion is still partly dependent on secondary reporting, but the confirmed core is narrower and serious: Zerion says a social-engineering intrusion hit company hot wallets while user funds and core infrastructure stayed untouched. That balance makes the episode notable for crypto readers because it shows both how convincing these lures have become and how much operational separation still matters once an attacker gets in.

In a report published on April 15, 2026, Cointelegraph said Zerion attributed last week’s intrusion to North Korea-affiliated hackers who used a long-running social-engineering campaign to steal about $100,000 from company hot wallets.

The same Cointelegraph report said no user funds, Zerion apps, or Zerion infrastructure were affected, and that the company disabled its web app as a precaution while it investigated the breach.

What happened in the reported Zerion attack

Zerion’s own post-mortem was not publicly retrievable in full during this reporting, so the direct DPRK attribution and the AI framing remain tied to Cointelegraph’s summary rather than a fully accessible first-party incident note. That limitation matters, but it does not change the narrower confirmed facts around a company-wallet loss and a precautionary shutdown of the web app.

For users, that separation is the main counterweight in the story. A compromise of company wallets is materially different from a breach of customer balances or application infrastructure, much like the access-control concerns raised in DAO Behind CoW Swap Urges Users to Stay Off Platform After ‘Hijacking’, where the trust problem extended beyond pure on-chain code.

How AI was reportedly used in the attack narrative

Google’s Mandiant said a February 9, 2026 UNC1069 intrusion against a crypto-sector victim started with a compromised Telegram account and moved into a fake Zoom meeting, a ClickFix infection path, and reported AI-generated video during the social-engineering stage. Mandiant also noted it could not independently verify AI-model use from forensic artifacts, which is why the AI element in Zerion should be treated as reported tradecraft, not settled technical proof.

That caution still leaves a clear pattern. SEAL said it blocked 164 domains tied to UNC1069 and described fake Zoom or Microsoft Teams meetings delivered through Telegram, LinkedIn, and Slack, suggesting that Zerion fits a wider campaign built around impersonation and trusted-contact hijacking rather than a one-off exploit.

“UNC1069’s social engineering methodology is defined by patience, precision, and the deliberate weaponization of existing trust relationships.”

Linked to the Security Alliance advisory.

The FBI’s September 3, 2024 public warning described nearly the same pressure points: tailored outreach to DeFi and crypto staff, followed by requests to run scripts or use custom teleconference software. That matters because AI-generated video, if present, does not replace the old playbook; it upgrades the persuasion layer on top of it.

Why a second crypto attack matters for the industry

Cointelegraph also described the Zerion case as a second crypto attack of the month after an earlier reported exploit at Drift Protocol, but that comparison remains unconfirmed here because a primary Drift incident document was not reviewed in this run. Even with that caveat, the recurrence question is hard to dismiss when the same SEAL advisory tracked 164 domains and Mandiant documented a matching lure chain in a separate crypto intrusion.

U.S. enforcement adds more weight to that pattern. The DOJ said four North Korean nationals were charged in a remote IT-worker scheme that allegedly took about $175,000 from one blockchain employer and about $740,000 from another, showing how access-based attacks can turn from reconnaissance into direct theft once trust controls break down.

“Individual developers, project contributors and anyone with access to cryptoasset infrastructure is a potential target.”

Linked to Elliptic’s threat analysis.

The broader market context is that crypto adoption keeps moving forward even as operational risk stays unresolved. Coverage such as Goldman Sachs Bitcoin ETF Filing Targets Income and Paxos Labs Raises $12M to Launch Crypto Yield and Lending Platform reflects continued expansion, but attacks like Zerion show why security controls still sit at the center of trust.

The bull case for Zerion is the company’s claim that user funds and infrastructure were untouched; the bear case is the documented campaign pressure around 164 domains, fake meeting software, and prior DOJ allegations of about $175,000 and about $740,000 in crypto thefts. The next concrete signals to watch are a full Zerion post-mortem, any wallet-level forensic disclosures, and whether more firms adopt the IC3’s guidance on out-of-band identity checks, software whitelisting, and multi-party approvals for transfers.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.