In a chilling reminder of the growing sophistication of cyber threats in the cryptocurrency world, a journalist from Fortune magazine narrowly escaped a phishing scam believed to be the work of North Korean hackers. The incident, which unfolded recently, highlights how even seasoned professionals in the crypto space can fall prey to elaborate social engineering tactics. According to reports, the journalist, identified as Weiss, was targeted through a seemingly legitimate professional outreach that quickly turned malicious.
Weiss had been in contact with Adam Swick, a purported Bitcoin strategist exploring the launch of a new digital asset treasury backed by a substantial seed investor. Despite harboring some reservations about the venture, Weiss agreed to join a Zoom call arranged via a link shared on Telegram. What followed was a meticulously crafted deception: the link redirected not to the genuine Zoom platform but to a counterfeit interface that bore striking similarities to the real thing, albeit with subtle discrepancies and intermittent audio glitches.
As the call progressed, the glitches prompted an urgent suggestion from the other participants to download what was described as a necessary software update. Unbeknownst to Weiss at the time, this file was laced with malware designed to exploit vulnerabilities in his computer system. Once installed, the malicious program could potentially log keystrokes, capture screenshots, and grant unauthorized access to sensitive data, including passwords and applications tied to cryptocurrency wallets.
Sensing something amiss amid the technical hiccups, Weiss typed a message to Swick and the hedge fund investor on the call: "This is giving me scam vibes," he wrote, according to details shared in the account of the incident. Acting swiftly on his instincts, Weiss shut down his laptop immediately to prevent any further compromise and reached out to Fortune's IT department for assistance. This quick thinking likely spared him from a more devastating breach.
Security experts quickly weighed in on the episode, attributing it to operatives linked to the Democratic People's Republic of Korea, commonly known as North Korea or DPRK. Taylor Monahan, a prominent security researcher and member of the nonprofit organization SEAL 911, analyzed the attack and confirmed its hallmarks as consistent with North Korean tactics. "The phishing attack was likely the handiwork of DPRK," Monahan stated, emphasizing the group's reputation for targeting high-value individuals in the crypto ecosystem.
Monahan further noted that Weiss had fortuitously avoided executing the core malicious script, which could have resulted in the theft of his passwords, Telegram account credentials, and any associated cryptocurrency holdings. Fortunately for Weiss, his crypto assets were described as minimal, reducing the immediate financial risk. However, the researcher pointed out a broader strategy at play: North Korean hackers are increasingly setting their sights not just on wealthy investors but also on journalists and influencers in the crypto space, whose expansive networks of contacts serve as gateways to even richer targets.
This incident underscores the escalating cyber operations mounted by North Korea against the decentralized finance (DeFi) and broader cryptocurrency sectors. Over the years, the regime has been implicated in numerous high-profile hacks, siphoning billions in digital assets to fund its activities amid international sanctions. The U.S. government and cybersecurity firms have repeatedly flagged North Korean state-sponsored groups, such as the notorious Lazarus Group, as perpetrators of these attacks.
Charles Guillemet, the chief technology officer at Ledger, a leading hardware wallet provider, drew parallels between this phishing attempt and a massive breach earlier this year. In what has been reported as the $1.4 billion Bybit hack of 2025—though details on the exact timeline remain under investigation—hackers employed similar methods, including the compromise of multi-signature wallet signers through social engineering and the insertion of disguised malicious transactions. "It's a similar pattern," Guillemet observed, highlighting how these tactics evolve but retain core elements of deception and exploitation.
The Bybit incident, if confirmed as North Korean in origin, would rank among the largest crypto heists on record, dwarfing previous thefts like the $600 million Ronin Network exploit in 2022, which was definitively tied to Lazarus. Cybersecurity analysts have tracked a surge in such operations, with North Korea allegedly netting over $3 billion in cryptocurrency since 2017, according to estimates from the United Nations and firms like Chainalysis. These funds are often laundered through mixers and converted to fiat to evade detection.
For Weiss, the close call served as a stark personal lesson in the perils of the digital age, particularly within the volatile crypto industry where trust is both a currency and a vulnerability. Fortune's IT team conducted a thorough scan of his device post-incident, confirming no data exfiltration had occurred. Weiss later shared his experience publicly to alert others, emphasizing the deceptive polish of the fake Zoom setup that nearly fooled him.
Experts like Monahan stress that such attacks thrive on the blend of technical prowess and psychological manipulation. The counterfeit Zoom not only replicated the platform's look and feel but also incorporated real-time audio to build rapport during the call. This level of sophistication demands resources typically associated with nation-state actors, reinforcing suspicions of DPRK involvement.
Beyond individual targets, the implications ripple across the crypto community. Journalists, analysts, and even regulatory bodies are now prime candidates for phishing campaigns, as their insights and connections can unlock doors to institutional wallets and private keys. Organizations like SEAL 911 advocate for heightened vigilance, including the use of hardware security keys, regular software updates, and verification of all communication channels.
As investigations into this specific attack continue, cybersecurity firms are monitoring for similar lures targeting other media professionals. The incident has prompted renewed calls for international cooperation to dismantle North Korea's cyber apparatus. In the meantime, the crypto world remains on high alert, with platforms like Telegram—often used for professional networking—emerging as common vectors for these threats.
Looking ahead, incidents like this could influence how media outlets approach crypto coverage, potentially leading to stricter protocols for virtual meetings and source verification. For the broader financial sector, it serves as a cautionary tale about the intersection of innovation and insecurity. While Weiss escaped unscathed, the episode illustrates that in the shadowy realm of cybercrime, no one is entirely safe.
The story of this phishing attempt, first detailed by Benzinga, has garnered attention across tech and finance circles, underscoring the need for ongoing education and technological defenses. As North Korea's hackers adapt their strategies, the global response must keep pace to protect the burgeoning digital economy.