In late March, I acquired a troubling message from Fortune’s IT administrator. “There is a process that’s exposing a vulnerability,” he wrote, telling me that somebody could also be prowling round my laptop. “I need to kill it.” I panicked. A file I had downloaded at 11:04 a.m. had the capability to watch my keyboard strokes, report my laptop display screen, see my passwords, and entry my apps, in line with logs later reviewed by Fortune’s IT division.
After shutting down my laptop computer, I rushed out of my Brooklyn condominium and ran to the closest subway station. Whereas ready for the prepare to Fortune’s workplace, the place I deliberate to wipe the laptop computer with IT’s assist, I texted my editor: “I think I may have been phished by the DPRK lol.”
I had reported on the Democratic Individuals’s Republic of Korea and knew the nation preferred to focus on American buyers. However I’d have by no means thought its infamous hackers would come after me—and train me a first-hand lesson in regards to the depths of their deceptions.
‘Scam vibes’
The Hermit Kingdom has been tormenting the crypto business for years. Reduce off from the worldwide monetary system by sanctions, the nation has resorted to state-sponsored crypto theft to assist pay its payments. In 2025 alone, hackers tied to the North Korean military accrued $2 billion in stolen crypto, about 50% greater than the 12 months prior, in line with knowledge from the crypto analytics agency Chainalysis.
The Democratic Individuals’s Republic of Korea has developed tried-and-true methods to trick its victims. These embody convincing firms to rent them as IT staff—and the strategies used to trick me.
The North Koreans laid their entice in mid-March. The bait got here within the type of a message from a hedge fund investor despatched over Telegram, the crypto business’s messaging app of selection. The investor, whom I’m not naming as a result of he was an nameless supply for tales I had written, requested if I needed to fulfill somebody named Adam Swick, who had been the chief technique officer on the Bitcoin miner MARA Holdings.
I replied positive—my supply was traditionally pleasant and useful—and I used to be put into a gaggle chat. My supply stated Swick was exploring the creation of a brand new digital asset treasury and “had a potential large seed investor.”
The enterprise appeared doubtful. Nonetheless, I used to be prepared to not less than hearken to what Swick needed to say. On Telegram, he requested me to ebook a name with him, and one week later, my hedge fund supply despatched me what seemed to be a Zoom hyperlink. I clicked on it.
This system that launched appeared just like the Zoom I take advantage of daily, although one thing in regards to the design appeared barely off and the audio didn’t work. I used to be prompted to replace the software program to repair the sound concern, and, at similar time, Swick wrote to me: “Looks like Zoom is acting up on your end.” I clicked to obtain the replace.
My adrenaline kicked in after I noticed the hyperlink in my browser wasn’t the identical because the one despatched to me in Telegram, and I requested to maneuver the assembly to Google Meet, one other videoconferencing service. “This is giving me scam vibes,” I wrote to Swick and my supply, the hedge fund investor.
Swick persevered. “No worry. I just tried it on my PC.”
I didn’t attempt working the script on my MacBook and determined to flee the Zoom assembly. “If you want to talk to me, let’s do it over Google Meet,” I wrote over Telegram. My supply promptly kicked me out of the group chat.
Viral hacks
As I used to be speeding out of my condominium to go to IT, I messaged Taylor Monahan, a veteran safety researcher. She’s a member of SEAL 911, a gaggle of volunteers who assist victims focused in crypto hacks. I despatched her the script I had downloaded and the videoconferencing hyperlink I had acquired.
“That’s DPRK,” she messaged me again moments later.
If I had run the script, hackers would have stolen my passwords, my Telegram account, and any crypto I owned. (I, fortunately, solely personal negligible quantities of Bitcoin and some different cryptocurrencies.)
The character of hacks signifies that it’s uncommon to be 100% positive of who’s behind them, however, within the case of my near-miss, Monahan advised me the hyperlink, the script, and even the pretend account related to Adam Swick all pointed to North Korea. Investigators use a mix of proof, together with blockchain evaluation, to tie incidents to the Democratic Individuals’s Republic. Two different safety researchers who monitor North Korean hackers later backed up her evaluation after I despatched them the script and videoconferencing hyperlink.
“Tell him Tay says hi lol,” Monahan stated, referring to the North Korean who got here after me.
Monahan and different safety researchers have responded to a whole bunch of instances within the crypto business involving pretend videoconference calls. The scheme is formulaic however efficient.
Hackers take management of an actual individual’s Telegram account after which attain out to their contacts. These contacts are requested to log onto a video name, the place, invariably, the audio doesn’t work. The victims are requested to run an replace to repair the sound drawback. Once they run the script, the hackers acquire entry to the victims’ crypto, passwords—and Telegram account. In truth, the identical group of North Koreans that focused me have been behind a hack designed to take advantage of software program builders writ massive, Google stated in a report printed Wednesday.
I’m no Lamborghini-driving Bitcoin investor, however North Korea doesn’t simply goal the rich, Monahan advised me. She’s seen hackers go after an growing variety of crypto journalists, probably as a result of their Telegram accounts have a considerable Rolodex. A few of these contacts are, possibly, rolling in crypto riches.
Like a virus that hijacks wholesome cells, the hackers corrupt these newly compromised accounts and goal the customers’ contacts. That’s how I used to be virtually contaminated. I used to be lulled into a way of security as a result of I believed I used to be speaking to somebody I knew.
‘Fake me’
After I wiped my laptop computer, modified my passwords, and thanked Fortune’s IT administrator profusely, I finally known as my supply on his cellphone. Unsurprisingly, his Telegram account had been hacked in early March. “I had a lot of contacts on Telegram that I didn’t have stored on my phone or my computer,” he stated. “But to me, even more than that, you feel violated knowing someone out there [is] impersonating you, basically using your name to con people.”
And, though he reached out to Telegram a number of occasions for assist over three weeks, he hadn’t acquired a response. (“While Telegram does everything it can to protect its accounts, it is not possible for any platform to protect users who are tricked into providing their login details to bad actors,” a spokesperson advised me in an announcement, including that the app froze the hedge fund investor’s account after I had reached out.)
I additionally known as the actual Swick. Hackers had been impersonating him over Telegram since early February, and the previous MARA Holdings govt acquired scores of texts and calls asking him why he needed to arrange conferences. He was all the time apologetic. “But a few of them have called me out, ‘Dude, what are you apologizing for?’” Swick stated. “And I’m like, ‘I don’t know. I’m apologizing for fake me, I guess. I’m so sorry this happened.’”
Swick didn’t know why hackers have been impersonating him, and my supply, the hedge fund investor, didn’t understand how his Telegram account was compromised. However, on the finish of our telephone name, the investor and I stumbled upon the potential reply.
A pretend Swick was one of many final those who the investor had spoken with earlier than his Telegram account was hacked. “I hopped on a Zoom with him and his audio wouldn’t connect,” stated my supply. “I vaguely remember trying to download something.”
In different phrases, my supply was probably focused by the identical hackers who went after me. After he and I spotted that his laptop computer was doubtlessly corrupted, the hedge fund investor hung up and wiped his laptop.
I reached out to the pretend Adam Swick on Telegram. “Is this account controlled by someone affiliated with the DPRK?” I wrote.
I nonetheless haven’t acquired a response.
