Fortune Magazine Reporter: Despite knowing that North Korean hackers are rampant, I still got caught.

Byline: Ben Weiss, Fortune Magazine

Compiled by: Luffy, Foresight News

In the last part of March, I received an unsettling message from the IT administrator at Fortune. “A process is exposing a system vulnerability,” he wrote—someone may already have gotten into my computer. “I need to stop it.” I panicked instantly.

Logs later reviewed by the IT department showed that on that same day at 11:04 a.m., I had downloaded a file that had the ability to keylog, record my screen, steal passwords, and access all kinds of applications on my device.

I immediately shut my laptop, sprinted out of my Brooklyn apartment, and headed for the nearest subway station. On the way to the office, while waiting for the train, I messaged my editor: “I think I got phished by North Korean hackers, lol.”

I’ve been covering North Korea-related news for years, and I know the country targets U.S. investors. But I never expected these notorious hackers to come after me—and to let me experience firsthand just how sophisticated their deception really is.

Feels like a scam

For years, this “Hermit Kingdom” has been steadily harassing the crypto industry. Because of sanctions, North Korea is shut out from the global financial system; to keep operating, it relies on state-supported crypto-currency theft.

Data from the blockchain analytics firm Chainalysis shows that just in 2025 alone, hackers associated with North Korea stole $2 billion worth of cryptocurrency—about 50% more than the year before.

North Korea has developed a set of tried-and-true luring tactics, including persuading companies to hire them as IT staff—and the same approach is what they used to trick me.

North Korean hackers set the trap in mid-March. The bait was a Telegram message from a hedge fund investor, and the app is one of the most commonly used communication tools in the crypto industry. I can’t disclose the investor’s name; he had been an anonymous source in my reporting.

He asked whether I wanted to meet someone named Adam Swick, who previously served as Chief Strategy Officer at the Bitcoin mining firm MARA Holdings. I told him sure—he’s always friendly and reliable—then I was added to a group chat.

He said Swick was preparing to launch a new digital asset treasury, “with at least one potential large seed investor.” The project sounded highly suspicious, but I still decided to hear what he had to say.

He asked to set up a call with me on Telegram. A week later, the source sent me a link that looked like a Zoom meeting. I clicked.

The interface of the “Zoom” app looked pretty much like what I use every day, but the design details were a bit off, and the audio was completely silent. A system prompt told me I needed to update the software to fix the audio issue. At the same time, Swick messaged me: “Looks like Zoom is having issues on your side.” I clicked to download the update package.

The moment I noticed the link in my browser didn’t match what the Telegram message had sent, I became instantly alert. I suggested switching the meeting to Google Meet. “This feels like a scam,” I told Swick and the source in the group chat.

Swick kept insisting: “Don’t worry—I just tried it on my computer and it works fine.”

I didn’t run the script on my Mac. I promptly exited the Zoom meeting. “If you want to chat, use Google Meet,” I replied on Telegram. My source immediately kicked me out of the group chat.

Viral-style chain invasion

While rushing out to the IT department, I messaged a veteran security researcher, Taylor Monahan. She’s a member of the SEAL 911 organization, a volunteer group that helps victims of cryptocurrency theft. I sent her the downloaded script and the video meeting link.

“This was done by North Korean hackers,” she replied a few seconds later.

If I had run the script, the hackers would have stolen my passwords, my Telegram account, and all the cryptocurrency I held. Fortunately, I only had a small amount of bitcoin and a few other crypto assets.

The nature of the hacker attack makes it difficult to determine with 100% certainty who was behind it, but in this near-miss Monahan told me that every clue—the links, the script, even the account impersonating Swick—all pointed to North Korea. Investigators will connect the incident to North Korea by combining multiple forms of evidence such as blockchain analysis. Two other long-time security researchers who track North Korean hackers also confirmed this assessment after I sent them the script and link.

“Tell him hi for me, haha,” Monahan said, referring to the North Korean hacker who had targeted me.

Monahan and other security researchers have handled hundreds of false video-conference phishing cases in the crypto industry. The pattern is standardized, but it’s incredibly effective.

The hackers first take over a real user’s Telegram account, then contact the people in that user’s contacts list. The victim is asked to join a video meeting, but the audio in the call never works properly. Then the victim is lured into running a “fix audio” update program. Once the script is executed, the hackers can obtain the victim’s crypto assets, passwords, and Telegram account.

In fact, a report Google published on Wednesday said that these North Korean hackers targeting me were also planning an attack against software developers at large.

I’m not a bitcoin millionaire driving a Lamborghini, but Monahan told me North Korean hackers don’t only go after wealthy people. She found that more and more crypto journalists are becoming targets, likely because journalists’ Telegram accounts contain large networks. Among those contacts, there are probably quite a few crypto millionaires.

Just like a virus hijacking healthy cells, the hackers compromise these accounts, then attack the contacts inside them. That’s exactly how I almost got caught—I thought I was chatting with someone I knew, so my guard was down.

“Impersonating me”

After I fully formatted my computer, changed all my passwords, and repeatedly thanked the IT administrator, I finally called the source. As expected, his Telegram account had been stolen as early as early March.

“I have a lot of contacts on my Telegram, and they weren’t saved on my phone or computer,” he said. “But what really gets to me is that someone is impersonating me, using my identity to trick people. That feeling of being violated is awful.”

And even though he reached out to Telegram multiple times over three weeks for help, he never got a response. In a statement, a Telegram spokesperson told me: “While Telegram will do everything possible to protect accounts, no platform can prevent users from being tricked.” They added that after I contacted them, the platform had frozen the hedge-fund investor’s account.

I also contacted the real Adam Swick. Starting in early February, someone had been impersonating him on Telegram. This former MARA executive received countless messages and calls, asking why he was setting up a meeting. Each time, all he could do was apologize.

“But some people ask me back, ‘Bro, what are you apologizing for?’” Swick said. “And all I can say is: ‘I don’t know—I’m apologizing on behalf of the fake me… Really sorry this is happening.’”

Swick didn’t know why the hackers would impersonate him, and my source also didn’t know how his Telegram had been stolen. But near the end of our call, both of us suddenly found a possible answer.

Among the last people who contacted that investor on Telegram before it was stolen, there was also a fake Swick. “We had a Zoom call. The audio on his side wouldn’t connect,” my source said. “I vaguely remember downloading something at the time.”

In other words, my source was very likely targeted by the same group of hackers. After we realized his computer may also have been infected, the hedge fund investor immediately hung up and formatted his computer.

On Telegram, I sent a message to the impersonating Adam Swick: “Is this account controlled by North Korean hackers?”

So far, I haven’t received any reply.