AI-Powered Social Engineering: How North Korean Threat Actors Breached Zerion
Following the Drift Protocol's $280 million loss, another extended social-engineering operation has targeted the crypto industry this month.
Cryptocurrency wallet provider Zerion has disclosed that hackers with ties to North Korea employed artificial intelligence in an extended social engineering operation that resulted in approximately $100,000 being stolen from the platform's hot wallets during the previous week.
On Wednesday, the Zerion team published a detailed post-mortem analysis, which verified that user assets, Zerion applications, and infrastructure remained uncompromised, and that the company had taken the preventive measure of temporarily shutting down the web application.
Although the stolen amount might seem modest compared to other cryptocurrency breaches, this represents yet another case of a cryptocurrency industry employee falling victim to what Zerion described as an "AI-enabled social engineering attack linked to a DPRK threat actor."
This marks the second such attack within the current month, coming after the Drift Protocol suffered a $280 million breach, falling prey to what was characterized as a "structured intelligence operation" orchestrated by hackers affiliated with DPRK. The human element, rather than vulnerabilities in smart contracts, has emerged as North Korea's preferred gateway into cryptocurrency companies.
AI is changing the way cyber threats work
According to Zerion, the malicious actor successfully obtained access to logged-in sessions and login credentials belonging to certain team members, in addition to private keys controlling the company's hot wallet infrastructure.
"This incident showed that AI is changing the way cyber threats work," the company said.
The company verified that the breach bore similarities to other attacks that had undergone investigation by the Security Alliance (SEAL) during the preceding week.
SEAL disclosed that during a two-month period spanning February through April, it had successfully tracked and neutralized 164 domains associated with the DPRK-linked group designated as UNC1069.
The organization explained that this group conducts "multiweek, low-pressure social engineering campaigns" utilizing platforms including Telegram, LinkedIn and Slack. Bad actors create false identities mimicking familiar contacts or reputable brands, or exploit access gained through previously breached company and personal accounts.
"UNC1069's social engineering methodology is defined by patience, precision, and the deliberate weaponization of existing trust relationships."
Mandiant, Google's cybersecurity division, provided detailed documentation in February regarding the group's deployment of fraudulent Zoom meeting invitations and a "known use of AI tools by the threat actor for editing images or videos during the social engineering stage."
DPRK's social engineering is evolving
In the early part of this month, Taylor Monahan, a MetaMask developer and security researcher, revealed that North Korean IT workers have been integrating themselves within cryptocurrency companies and decentralized finance projects for a minimum of seven years.
"The evolution of the DPRK's social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges," blockchain security firm Elliptic said in a blog post earlier this year.
"Individual developers, project contributors, and anyone with access to cryptoasset infrastructure is a potential target."
