Written by: Ben Weiss, Fortune Magazine

Translated by: Luffy, Foresight News

In late March, I received a disturbing message from the IT manager at Fortune magazine. “There is a process exposing system vulnerabilities,” he wrote, saying someone may have infiltrated my computer. “I need to terminate it.” I panicked instantly.

According to logs reviewed by the IT department later, a file I downloaded at 11:04 AM that day had capabilities for keystroke logging, screen recording, stealing passwords, and accessing various applications of mine.

I immediately closed my laptop and rushed out of my Brooklyn apartment to the nearest subway station. While waiting for the train to the office, I messaged my editor: “It seems I’ve been phished by North Korean hackers, LOL.”

I had been reporting on North Korean news and knew that this country specifically targets American investors. But I never expected that this notorious group of hackers would target me and let me experience firsthand how sophisticated their deception techniques are.

Feels Like a Scam

This “hermit kingdom” has been consistently troubling the cryptocurrency industry for years. Due to sanctions, North Korea has been excluded from the global financial system and relies on state-sponsored cryptocurrency theft to keep itself running.

Data from cryptocurrency data analytics company Chainalysis shows that in just 2025 alone, hackers related to North Korea stole $2 billion worth of cryptocurrency, an increase of about 50% from the previous year.

North Korea has developed a reliable set of luring tactics, including convincing companies to hire them as IT staff, and the method used to deceive me this time.

The North Korean hackers set the trap in mid-March. The bait was a Telegram message from a hedge fund investor, this app being the most commonly used communication tool in the cryptocurrency industry. I cannot disclose the investor's name, as he was an anonymous source in my report.

He asked if I wanted to meet someone named Adam Swick, who was the Chief Strategy Officer at the Bitcoin mining company MARA Holdings. I replied that I could, as he had always been friendly and reliable, and then I was added to a group chat.

He said that Swick was preparing to establish a new digital asset repository, “and there’s already a potential large seed investor.” The project sounded suspicious, but I still planned to hear what he had to say.

He scheduled a call on Telegram for me. A week later, this source sent me a link that looked like a Zoom meeting. I clicked in.

The program interface that launched looked similar to the Zoom I use daily, but the design details felt off, and there was no sound on the audio. The system prompted me to update the software to fix the audio issue, while Swick messaged me: “It looks like your Zoom is having issues.” I clicked to download the update package.

When I noticed that the link in my browser was inconsistent with the one sent via Telegram, I became instantly alert. I suggested switching the meeting to Google Meet. “This feels like a scam,” I told Swick and the source in the group.

Swick continued to insist: “Don't worry; I just tried it on my computer and had no problems.”

I did not run that script on my Mac and decisively exited the Zoom meeting. “If you want to talk, let’s use Google Meet,” I replied on Telegram. My source immediately kicked me out of the group chat.

Viral Chain Invasion

While rushing to the IT department, I messaged senior security researcher Taylor Monahan. She is a member of SEAL 911, a volunteer group that helps victims of cryptocurrency theft. I sent her the downloaded script and the video conference link.

“This is the work of North Korean hackers.” She replied to me a few seconds later.

If I had run that script at the time, the hackers would have stolen my passwords, Telegram account, and all the cryptocurrency I held. Fortunately, I only had a small amount of Bitcoin and a few other crypto assets.

The characteristics of hacker attacks make it difficult to determine the perpetrators with 100% certainty, but in the incident where I nearly fell victim, Monahan told me that the link, script, and even the account impersonating Swick all pointed towards North Korea. Investigators can correlate the incident with North Korea using multiple pieces of evidence, including blockchain analysis. Two other security researchers who have long tracked North Korean hackers also confirmed this judgment after I sent them the script and link.

“Say hi to him for me, haha.” Monahan said, referring to the North Korean hacker targeting me.

Monahan and other security researchers have handled hundreds of phishing cases involving fake video conferences in the cryptocurrency industry. This model is patterned but very effective.

The hackers first take control of a real user’s Telegram account, then contact people in their contact list. Victims are asked to join a video conference, but the audio during the call never works properly. Then the victim is induced to run an “audio fix” update program. Once the script is run, the hackers can gain access to the victim’s cryptocurrency assets, passwords, and Telegram account.

In fact, a report released by Google on Wednesday stated that the North Korean hackers targeting me were also planning an attack on a large number of software developers.

I’m not a Bitcoin millionaire driving a Lamborghini, but Monahan told me that North Korean hackers do not only target the wealthy. She found that more and more cryptocurrency journalists are becoming targets, likely because journalists have extensive networks on Telegram. Among these contacts are likely a number of cryptocurrency millionaires.

Just like a virus hijacking healthy cells, the hackers infiltrate these accounts and then attack the contacts within them. I almost fell into this trap myself. I thought I was chatting with someone familiar, and thus lowered my guard.

“Imposter Me”

After completely formatting my computer, changing all my passwords, and thanking the IT manager multiple times, I ultimately called that source. Unsurprisingly, his Telegram account had been stolen way back in early March.

“I have many contacts in Telegram that I haven’t saved on my phone or computer,” he said. “But what’s more upsetting is that someone is impersonating me, using my identity to scam people; that feeling of being violated is just terrible.”

Moreover, despite reaching out to Telegram multiple times for help over the past three weeks, he received no response. A spokesperson for Telegram told me in a statement: “While Telegram will do everything possible to protect accounts, no platform can prevent users from being scammed.” He added that after I contacted them, the platform has frozen the account of the hedge fund investor.

I also reached out to the real Adam Swick. Since early February, someone had been impersonating him on Telegram, and this former MARA executive received countless messages and calls asking why he was scheduling meetings. Each time he could only apologize.

“But some people counter with, ‘Dude, what are you apologizing for?’” Swick said. “All I can say is: ‘I don’t know; I’m apologizing on behalf of the fake me... I’m really sorry this happened.’”

Swick didn’t know why hackers would impersonate him, and my source was unclear about how his Telegram was stolen. But near the end of the call, we both suddenly found a possible answer.

Before this investor's Telegram was stolen, one of the last contacts was a fake Swick. “I had a Zoom call with him, and the audio on his end wouldn’t connect,” my source said. “I vaguely remember downloading something at that time.”

In other words, my source was likely targeted by the same group of hackers. When we realized his computer might also be infected, this hedge fund investor immediately hung up and formatted his computer.

I sent a message to the impersonating Adam Swick on Telegram: “Is this account controlled by North Korean hackers?”

To this day, I have not received any reply.