Fortune Magazine Reporter: “I Knew North Korean Hackers Were Rampant—Yet I Still Fell for It”
TechFlow Selected TechFlow Selected
Fortune Magazine Reporter: “I Knew North Korean Hackers Were Rampant—Yet I Still Fell for It”
North Korean hackers have targeted cryptocurrency journalists.
Navigating Web3 tides with focused insightsBy Ben Weiss, Fortune Magazine
Translated by Luffy, Foresight News
In late March, I received a disturbing message from my IT administrator at Fortune Magazine: “A process is exposing system vulnerabilities,” he wrote—someone may already have infiltrated my computer. “I need to terminate it.” I panicked instantly.
According to logs later reviewed by the IT department, a file I downloaded that morning at 11:04 a.m. had capabilities including keystroke logging, screen recording, password theft, and access to all my applications.
I immediately shut my laptop, sprinted out of my Brooklyn apartment, and raced toward the nearest subway station. While waiting for the train to the office, I messaged my editor: “Looks like I got phished by North Korean hackers—LOL.”
I’ve long reported on North Korea and knew the country specifically targets U.S. investors. But I never imagined that these notorious hackers would set their sights on me—or that I’d get firsthand experience of just how sophisticated their deception tactics really are.
It Felt Like a Scam
This “Hermit Kingdom” has been persistently targeting the cryptocurrency industry for years. Sanctioned and excluded from the global financial system, North Korea relies on state-sponsored cryptocurrency theft to sustain its operations.
According to Chainalysis, a cryptocurrency analytics firm, North Korean-linked hackers stole $2 billion worth of cryptocurrency in 2025 alone—a roughly 50% increase over the previous year.
North Korea has refined a playbook of proven social-engineering tricks—including convincing companies to hire them as IT staff—and the very same method used to target me.
The trap was laid in mid-March. The bait was a Telegram message from a hedge fund investor—the most widely used communication app in crypto circles. I can’t name this investor, who had previously served as an anonymous source for my reporting.
He asked if I’d like to meet someone named Adam Swick, formerly Chief Strategy Officer at Bitcoin mining firm MARA Holdings. I replied affirmatively, noting Swick had always struck me as friendly and reliable—and was promptly added to a group chat.
He said Swick was launching a new digital asset treasury, “with one major potential seed investor already lined up.” The project sounded suspicious—but I decided to hear him out.
Swick scheduled a call via Telegram. A week later, my source sent me what appeared to be a Zoom meeting link. I clicked it.
The launched application looked nearly identical to the Zoom I use daily—but subtle design inconsistencies stood out, and there was no audio at all. A system prompt instructed me to update the software to fix the audio issue, while Swick messaged: “Looks like your Zoom isn’t working.” I clicked to download the update package.
Only when I noticed the URL in my browser didn’t match the one sent via Telegram did alarm bells ring. I proposed switching the meeting to Google Meet. “This feels like a scam,” I typed into the group chat, addressing both Swick and my source.
Swick persisted: “Don’t worry—I just tested it on my own computer and it worked fine.”
I refused to run the script on my Mac and abruptly exited the Zoom session. “Let’s talk on Google Meet instead,” I replied in Telegram. My source immediately kicked me out of the group chat.
Viral, Cascading Intrusion
As I rushed out of my apartment en route to IT, I messaged Taylor Monahan, a senior security researcher and member of SEAL 911—a volunteer group helping victims of cryptocurrency theft. I shared the downloaded script and the video-conference link with her.
“This is North Korean hackers,” she replied within seconds.
Had I run that script, the hackers would have stolen my passwords, my Telegram account, and all my cryptocurrency holdings. Fortunately, I only held a small amount of Bitcoin and a few other crypto assets.
Attributing cyberattacks with 100% certainty is inherently difficult—but in my near-miss case, Monahan told me every clue—the link, the script, even the fake Swick account—pointed squarely to North Korea. Investigators correlate such evidence, including blockchain analysis, to tie incidents to Pyongyang. Two other veteran researchers who track North Korean hacking groups independently confirmed this assessment after I shared the script and link with them.
“Say hello to him for me—ha ha,” Monahan joked, referring to the North Korean hacker who’d targeted me.
Monahan and other security researchers have handled hundreds of fraudulent video-conference phishing attacks across the crypto industry. Though formulaic, the scheme is highly effective.
Hackers first compromise a legitimate user’s Telegram account, then contact people in that user’s contact list. Victims are invited to join a video call—but audio never works. They’re then prompted to run an “audio-fix” update program. Once executed, the script grants hackers full access to victims’ crypto assets, passwords, and Telegram accounts.
In fact, Google released a report on Wednesday stating that the same North Korean hacking group behind my attempted breach is simultaneously orchestrating a broader campaign targeting software developers worldwide.
I’m no Lamborghini-driving Bitcoin billionaire—but Monahan told me North Korean hackers don’t exclusively target the wealthy. She’s observed a growing number of crypto journalists becoming targets, likely because their Telegram contacts include extensive professional networks—many of whom are, in turn, crypto millionaires.
Like a virus hijacking healthy cells, hackers compromise these accounts to attack the contacts stored within them. That’s precisely how I almost fell victim: I assumed I was chatting with someone I knew—and let my guard down.
“The Impostor Me”
After completely wiping my laptop, resetting all passwords, and thanking my IT administrator profusely, I finally called my source. As expected, his Telegram account had been compromised back in early March.
“I have tons of contacts on Telegram—none saved on my phone or computer,” he said. “But what hurts more is knowing someone’s impersonating me, using my identity to scam others. That sense of violation is awful.”
Despite reaching out to Telegram multiple times over three weeks seeking help, he received no response. A Telegram spokesperson told me in a statement: “While Telegram does everything possible to protect accounts, no platform can prevent users from being deceived.” He added that, after I contacted them, Telegram had frozen the hedge fund investor’s account.
I also reached out to the real Adam Swick. Since early February, impostors have been posing as him on Telegram. This former MARA executive has fielded countless texts and calls demanding explanations for why he’d scheduled meetings—each time offering apologies.
“But some people reply, ‘Dude, what are you apologizing for?’” Swick said. “So I say, ‘I don’t know—I’m apologizing for the fake me… Really sorry this happened.’”
Swick doesn’t know why hackers chose to impersonate him—and my source remains unsure how his Telegram account was compromised. Yet, near the end of our call, we stumbled upon a likely answer.
Among the last people to contact the investor before his Telegram account was hijacked was a fake Swick. “I had a Zoom call with him—he couldn’t get audio working,” my source recalled. “I vaguely remember downloading something.”
In other words, my source was likely targeted by the same hacking group. Realizing his computer might already be infected, the hedge fund investor hung up immediately and wiped his device.
I messaged the fake Adam Swick on Telegram: “Is this account controlled by North Korean hackers?”
To date, I’ve received no reply.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@FortuneMagazine
