Zerion, a prominent cryptocurrency wallet provider, confirmed a security breach on Wednesday, April 15, 2026, resulting in the theft of approximately $100,000 from its company-controlled hot wallets. The attack has been attributed to North Korean state-sponsored hackers, specifically a group identified as UNC1069, who employed sophisticated artificial intelligence (AI)-enabled social engineering tactics.
The hackers did not exploit a technical flaw in Zerion's smart contracts or wallet architecture. Instead, they executed a "multiweek, low-pressure social engineering campaign" across platforms like Slack, LinkedIn, and Telegram. By using AI to impersonate trusted colleagues and create convincing deepfake content, the attackers gradually built trust to compromise employee login sessions, credentials, and ultimately gain access to private keys.
"UNC1069’s social engineering methodology is defined by patience, precision, and the deliberate weaponization of existing trust relationships," noted The Security Alliance (SEAL), which has been tracking the group. SEAL identified and blocked 164 malicious domains linked to UNC1069's campaigns targeting crypto firms.
Zerion's internal investigation verified that user funds and core infrastructure remained secure. As a preventative measure, the company briefly took its web application offline and moved affected assets to cold storage. The incident follows a much larger $280 million exploit of Drift Protocol earlier in the month, which security analysts also described as an intelligence-driven operation.
Security experts warn this marks a dangerous evolution in cyber threats. "The evolution of the DPRK’s social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges," stated blockchain security firm Elliptic. The industry's risk profile is shifting, with individual developers and employees with internal access now seen as primary targets for state-sponsored theft.
