TL;DR:
- Zerion confirmed that an employee lost approximately $100,000 from internal wallets following a social engineering attack linked to North Korea.
- The attacker accessed active sessions, credentials, and private keys from hot wallets used for internal testing, so no user funds were compromised.
- The Security Alliance identified 164 malicious websites connected to group UNC1069, active since February 2026 and targeting crypto and Web3 firms.
AĀ ZerionĀ employee fell victim to an AI-powered social engineering attack linked to a North Korean (DPRK) threat actor, as confirmed by the company itself in a statement published on X. The incident resulted in the theft of approximatelyĀ $100,000Ā fromĀ internal hot walletsĀ used for testing and internal operations.Ā No user-related funds were compromised.
The attacker managed to accessĀ active sessions, credentials, and private keysĀ from the team’s internal wallets. Zerion clarified that its wallet isĀ fully self-custodialĀ and that no team member has access to users’ private keys or seed phrases. The company’s mobile apps, browser extension, backend infrastructure, and social media accountsĀ also remained intact.
Zerion Responds Quickly and Seeks to Reassure its Community
The post-mortem of theĀ incidentĀ notes that the attack was sophisticated and planned, not driven by mere opportunity. Upon detecting the breach, the Zerion teamĀ took immediate action: itĀ locked the deployment infrastructureĀ to prevent the attacker from publishing malicious versions on the company’s domains,Ā placed the web application in maintenance mode, and rotated all exposed credentials and private keys. Multisig accounts were alsoĀ reconfigured. In addition, each team member ran anĀ analysis script on their devicesĀ to detect malware similar to that used in the attack.
The company worked with the teams atĀ Blockaid, ZeroShadow, and ChainPatrolĀ to identify and request the removal of the attacker’s wallets and accounts. The stolen fundsĀ were traced to specific addresses, which were reported to the relevant authorities.
The Security Alliance (SEAL)Ā has been investigating similar attacksĀ from February 6 through April 7, 2026, and has already identifiedĀ 164 malicious websites linked to UNC1069, a group backed byĀ North KoreaĀ that targets crypto and Web3 companies. SEAL warned that the group usesĀ fake Zoom and Microsoft Teams calls, as well as software attacks to steal funds and sensitive data.
North Korea: The Biggest Enemy of Crypto Security
This incident is part of an already established trend in the industry. According to the most recent report from theĀ FBI’s Internet Crime Complaint Center,Ā cybercrime losses exceeded $20.8 billionĀ in 2025. That same year, more thanĀ 22,000 complaintsĀ involving artificial intelligence components were recorded, underscoring the growing scale and sophistication of attack vectors targeting the crypto ecosystem.
