![](\"https:\/\/fortune.com\/img-assets\/wp-content\/uploads\/2026\/03\/Fortune-DPKR-Final.jpg?w=2048\")
<\/p>\n<\/p>\n
In late March, I received a troubling message from Fortune\u2019s IT administrator. \u201cThere is a process that\u2019s exposing a vulnerability,\u201d he wrote, telling me that someone may be prowling around my computer. \u201cI need to kill it.\u201d I panicked. A file I had downloaded at 11:04 a.m. had the capacity to monitor my keyboard strokes, record my computer screen, see my passwords, and access my apps, according to logs later reviewed by Fortune\u2019s IT department.<\/p>\n
After shutting down my laptop, I rushed out of my Brooklyn apartment and ran to the nearest subway station. While waiting for the train to Fortune\u2019s office, where I planned to wipe the laptop with IT\u2019s help, I texted my editor: \u201cI think I may have been phished by the DPRK lol.\u201d<\/p>\n
I had reported on the Democratic People\u2019s Republic of Korea and knew the country liked to target American investors. But I would have never thought its notorious hackers would come after me\u2014and teach me a first-hand lesson about the depths of their deceptions.\u00a0<\/p>\n
\u2018Scam vibes\u2019<\/p>\n
The Hermit Kingdom has been tormenting the crypto industry for years. Cut off from the global financial system by sanctions, the country has resorted to state-sponsored crypto theft to help pay its bills. In 2025 alone, hackers tied to the North Korean army accumulated $2 billion in stolen crypto, about 50% more than the year prior, according to data from the crypto analytics firm Chainalysis.<\/p>\n
The Democratic People\u2019s Republic of Korea has developed tried-and-true strategies to trick its victims. These include convincing companies to hire them as IT workers\u2014and the techniques used to trick me.<\/p>\n
The North Koreans laid their trap in mid-March. The bait came in the form of a message from a\u00a0 hedge fund investor sent over Telegram, the crypto industry\u2019s messaging app of choice. The investor, whom I\u2019m not naming because he was an anonymous source for stories I had written, asked if I wanted to meet someone named Adam Swick, who had been the chief strategy officer at the Bitcoin miner MARA Holdings.<\/p>\n
I replied sure\u2014my source was historically friendly and helpful\u2014and I was put into a group chat. My source said Swick was exploring the creation of a new digital asset treasury and \u201chad a potential large seed investor.\u201d\u00a0<\/p>\n
The venture seemed dubious. Still, I was willing to at least listen to what Swick had to say.\u00a0On Telegram, he asked me to book a call with him, and one week later, my hedge fund source sent me what appeared to be a Zoom link. I clicked on it.<\/p>\n
The program that launched looked like the Zoom I use every day, though something about the design seemed slightly off and the audio didn\u2019t work. I was prompted me to update the software to fix the sound issue, and, at same time, Swick wrote to me: \u201cLooks like Zoom is acting up on your end.\u201d I clicked to download the update.<\/p>\n
My adrenaline kicked in when I saw the link in my browser wasn\u2019t the same as the one sent to me in Telegram, and I asked to move the meeting to Google Meet, another videoconferencing service. \u201cThis is giving me scam vibes,\u201d I wrote to Swick and my source, the hedge fund investor.<\/p>\n
Swick persisted. \u201cNo worry. I just tried it on my PC.\u201d<\/p>\n
I didn\u2019t try running the script on my MacBook and decided to flee the Zoom meeting. \u201cIf you want to talk to me, let\u2019s do it over Google Meet,\u201d I wrote over Telegram. My source promptly kicked me out of the group chat.<\/p>\n
Viral hacks<\/p>\n
As I was rushing out of my apartment to visit IT, I messaged Taylor Monahan, a veteran security researcher. She\u2019s a member of SEAL 911, a group of volunteers who help victims targeted in crypto hacks. I sent her the script I had downloaded and the videoconferencing link I had received.<\/p>\n
\u201cThat\u2019s DPRK,\u201d she messaged me back moments later.<\/p>\n
If I had run the script, hackers would have stolen my passwords, my Telegram account, and any crypto I owned. (I, luckily, only own negligible amounts of Bitcoin and a few other cryptocurrencies.)<\/p>\n
The nature of hacks means that it\u2019s rare to be 100% sure of who\u2019s behind them, but, in the case of my near-miss, Monahan told me the link, the script, and even the fake account associated with Adam Swick all pointed to North Korea. Investigators use a combination of evidence, including blockchain analysis, to tie incidents to the Democratic People\u2019s Republic. Two other security researchers who track North Korean hackers later backed up her assessment when I sent them the script and videoconferencing link.<\/p>\n
\u201cTell him Tay says hi lol,\u201d Monahan said, referring to the North Korean who came after me.<\/p>\n
Monahan and other security researchers have responded to hundreds of cases in the crypto industry involving fake videoconference calls. The scheme is formulaic but effective.\u00a0<\/p>\n
Hackers take control of a real person\u2019s Telegram account and then reach out to their contacts. Those contacts are asked to log onto a video call, where, invariably, the audio doesn\u2019t work. The victims are asked to run an update to fix the sound problem. When they run the script, the hackers gain access to the victims\u2019 crypto, passwords\u2014and Telegram account.\u00a0In fact, the same group of North Koreans that targeted me were behind a hack designed to exploit software developers writ large, Google said in a report published Wednesday.<\/p>\n
I\u2019m no Lamborghini-driving Bitcoin investor, but North Korea doesn\u2019t just target the wealthy, Monahan told me. She\u2019s seen hackers go after an increasing number of crypto journalists, likely because their Telegram accounts have a substantial Rolodex. Some of these contacts are, in all probability, rolling in crypto riches.<\/p>\n
Like a virus that hijacks healthy cells, the hackers corrupt these newly compromised accounts and target the users\u2019 contacts. That\u2019s how I was almost infected. I was lulled into a sense of safety because I thought I was talking to someone I knew.<\/p>\n
\u2018Fake me\u2019<\/p>\n
After I wiped my laptop, changed my passwords, and thanked Fortune\u2019s IT administrator profusely, I eventually called my source on his cellphone. Unsurprisingly, his Telegram account had been hacked in early March. \u201cI had a lot of contacts on Telegram that I didn\u2019t have stored on my phone or my computer,\u201d he said. \u201cBut to me, even more than that, you feel violated knowing someone out there [is] impersonating you, basically using your name to con people.\u201d<\/p>\n
And, although he reached out to Telegram multiple times for help over three weeks, he hadn\u2019t received a response. (\u201cWhile Telegram does everything it can to protect its accounts, it is not possible for any platform to protect users who are tricked into providing their login details to bad actors,\u201d a spokesperson told me in a statement, adding that the app froze the hedge fund investor\u2019s account after I had reached out.)<\/p>\n
I also called the real Swick. Hackers had been impersonating him over Telegram since early February, and the former MARA Holdings executive received scores of texts and calls asking him why he wanted to set up meetings. He was always apologetic. \u201cBut a few of them have called me out, \u2018Dude, what are you apologizing for?\u2019\u201d Swick said. \u201cAnd I\u2019m like, \u2018I don\u2019t know. I\u2019m apologizing for fake me, I guess. I\u2019m so sorry this happened.\u2019\u201d<\/p>\n
Swick didn\u2019t know why hackers were impersonating him, and my source, the hedge fund investor, didn\u2019t know how his Telegram account was compromised. But, at the end of our phone call, the investor and I stumbled upon the potential answer.\u00a0<\/p>\n
A fake Swick was one of the last people that the investor had spoken with before his Telegram account was hacked. \u201cI hopped on a Zoom with him and his audio wouldn\u2019t connect,\u201d said my source. \u201cI vaguely remember trying to download something.\u201d<\/p>\n
In other words, my source was likely targeted by the same hackers who went after me. After he and I realized that his laptop was potentially corrupted, the hedge fund investor hung up and wiped his computer.\u00a0<\/p>\n
I reached out to the fake Adam Swick on Telegram. \u201cIs this account controlled by someone affiliated with the DPRK?\u201d I wrote.\u00a0<\/p>\n
I still haven\u2019t received a response.<\/p>\n
#knew #North #Korean #hackersthey #tricked #computer<\/p>\n","protected":false},"excerpt":{"rendered":"
In late March, I received a troubling message from Fortune\u2019s IT administrator. \u201cThere is a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[245],"tags":[1353,4212,1354,6864,6862,6863,2520,6861,6865],"_links":{"self":[{"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/posts\/2980"}],"collection":[{"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2980"}],"version-history":[{"count":0,"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/posts\/2980\/revisions"}],"wp:attachment":[{"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}