I knew about North Korean hackers—they still tricked me and got into my computer
In late March, I received a troubling message from Fortune’s IT administrator. “There is a process that’s exposing a vulnerability,” he wrote, telling me that someone may be prowling around my computer. “I need to kill it.” I panicked. A file I had downloaded at 11:04 a.m. had the capacity to monitor my keyboard strokes, record my computer screen, see my passwords, and access my apps, according to logs later reviewed by Fortune’s IT department.
Recommended Video
After shutting down my laptop, I rushed out of my Brooklyn apartment and ran to the nearest subway station. While waiting for the train to Fortune’s office, where I planned to wipe the laptop with IT’s help, I texted my editor: “I think I may have been phished by the DPRK lol.”
I had reported on the Democratic People’s Republic of Korea and knew the country liked to target American investors. But I would have never thought its notorious hackers would come after me—and teach me a firsthand lesson about the depths of their deceptions.
‘Scam vibes’
The Hermit Kingdom has been tormenting the crypto industry for years. Cut off from the global financial system by sanctions, the country has resorted to state-sponsored crypto theft to help pay its bills. In 2025 alone, hackers tied to the North Korean army accumulated $2 billion in stolen crypto, about 50% more than the year prior, according to data from crypto analytics firm Chainalysis.
The Democratic People’s Republic of Korea has developed tried-and-true strategies to trick its victims. These include persuading companies to hire them as IT workers—and the techniques used to trick me.
The North Koreans laid their trap in mid-March. The bait came in the form of a message from a hedge fund investor sent over Telegram, the crypto industry’s messaging app of choice. The investor, whom I’m not naming because he was an anonymous source for stories I had written, asked if I wanted to meet someone named Adam Swick, who had been the chief strategy officer at Bitcoin miner MARA Holdings.
I replied, “Sure”—my source was historically friendly and helpful—and I was put into a group chat. My source said Swick was exploring the creation of a new digital asset treasury and “had a potential large seed investor.”
The venture seemed dubious. Still, I was willing to at least listen to what Swick had to say. On Telegram, he asked me to book a call with him, and one week later, my hedge fund source sent me what appeared to be a Zoom link. I clicked on it.
The program that launched looked like the Zoom I use every day, though something about the design seemed slightly off, and the audio didn’t work. I was prompted to update the software to fix the sound issue, and at same time, Swick wrote to me: “Looks like Zoom is acting up on your end.” I clicked to download the update.
My adrenaline kicked in when I saw the link in my browser wasn’t the same as the one sent to me in Telegram, and I asked to move the meeting to Google Meet, another videoconferencing service. “This is giving me scam vibes,” I wrote to Swick and my source, the hedge fund investor.
Swick persisted: “No worry. I just tried it on my PC.”
I didn’t try running the script on my MacBook and decided to flee the Zoom meeting. “If you want to talk to me, let’s do it over Google Meet,” I wrote over Telegram. My source promptly kicked me out of the group chat.
Viral hacks
As I was rushing out of my apartment to visit IT, I messaged Taylor Monahan, a veteran security researcher. She’s a member of SEAL 911, a group of volunteers who help victims targeted in crypto hacks. I sent her the script I had downloaded and the videoconferencing link I had received.
“That’s DPRK,” she messaged me back moments later.
If I had run the script, hackers would have stolen my passwords, my Telegram account, and any crypto I owned. (Luckily, I own negligible amounts of Bitcoin and a few other cryptocurrencies.)
The nature of hacks means that it’s rare to be 100% sure of who’s behind them, but in the case of my near-miss, Monahan told me the link, the script, and even the fake account associated with Adam Swick all pointed to North Korea. Investigators use a combination of evidence, including blockchain analysis, to tie incidents to the DPRK. Two other security researchers who track North Korean hackers later backed up her assessment when I sent them the script and videoconferencing link.
“Tell him Tay says hi lol,” Monahan said, referring to the North Korean who came after me.
Monahan and other security researchers have responded to hundreds of cases in the crypto industry involving fake videoconference calls. The scheme is formulaic but effective.
Hackers take control of a real person’s Telegram account and then reach out to their contacts. Those contacts are asked to log on to a video call, where, invariably, the audio doesn’t work. The victims are asked to run an update to fix the sound problem. When they run the script, the hackers gain access to the victims’ crypto,