In late March, I received a troubling message from Fortune’s IT administrator. “There is a process that’s exposing a vulnerability,” he wrote, telling me that someone may be prowling around my computer. “I need to kill it.” I panicked. A file I had downloaded at 11:04 a.m. had the capacity to monitor my keyboard strokes, record my computer screen, see my passwords, and access my apps, according to logs later reviewed by Fortune’s IT department.
After shutting down my laptop, I rushed out of my Brooklyn apartment and ran to the nearest subway station. While waiting for the train to Fortune’s office, where I planned to wipe the laptop with IT’s help, I texted my editor: “I think I may have been phished by the DPRK lol.”
I had reported on the Democratic People’s Republic of Korea and knew the country liked to target American investors. But I would have never thought its notorious hackers would come after me—and teach me a firsthand lesson about the depths of their deceptions.
‘Scam vibes’
The Hermit Kingdom has been tormenting the crypto industry for years. Cut off from the global financial system by sanctions, the country has resorted to state-sponsored crypto theft to help pay its bills. In 2025 alone, hackers tied to the North Korean army accumulated $2 billion in stolen crypto, about 50% more than the year prior, according to data from crypto analytics firm Chainalysis.
The Democratic People’s Republic of Korea has developed tried-and-true strategies to trick its victims. These include persuading companies to hire them as IT workers—and the techniques used to trick me.
The North Koreans laid their trap in mid-March. The bait came in the form of a message from a hedge fund investor sent over Telegram, the crypto industry’s messaging app of choice. The investor, whom I’m not naming because he was an anonymous source for stories I had written, asked if I wanted to meet someone named Adam Swick, who had been the chief strategy officer at Bitcoin miner MARA Holdings.
I replied, “Sure”—my source was historically friendly and helpful—and I was put into a group chat. My source said Swick was exploring the creation of a new digital asset treasury and “had a potential large seed investor.”
The venture seemed dubious. Still, I was willing to at least listen to what Swick had to say. On Telegram, he asked me to book a call with him, and one week later, my hedge fund source sent me what appeared to be a Zoom link. I clicked on it.
The program that launched looked like the Zoom I use every day, though something about the design seemed slightly off, and the audio didn’t work. I was prompted to update the software to fix the sound issue, and at same time, Swick wrote to me: “Looks like Zoom is acting up on your end.” I clicked to download the update.
My adrenaline kicked in when I saw the link in my browser wasn’t the same as the one sent to me in Telegram, and I asked to move the meeting to Google Meet, another videoconferencing service. “This is giving me scam vibes,” I wrote to Swick and my source, the hedge fund investor.
Swick persisted: “No worry. I just tried it on my PC.”
I didn’t try running the script on my MacBook and decided to flee the Zoom meeting. “If you want to talk to me, let’s do it over Google Meet,” I wrote over Telegram. My source promptly kicked me out of the group chat.
Viral hacks
As I was rushing out of my apartment to visit IT, I messaged Taylor Monahan, a veteran security researcher. She’s a member of SEAL 911, a group of volunteers who help victims targeted in crypto hacks. I sent her the script I had downloaded and the videoconferencing link I had received.
“That’s DPRK,” she messaged me back moments later.
If I had run the script, hackers would have stolen my passwords, my Telegram account, and any crypto I owned. (Luckily, I own negligible amounts of Bitcoin and a few other cryptocurrencies.)
The nature of hacks means that it’s rare to be 100% sure of who’s behind them, but in the case of my near-miss, Monahan told me the link, the script, and even the fake account associated with Adam Swick all pointed to North Korea. Investigators use a combination of evidence, including blockchain analysis, to tie incidents to the DPRK. Two other security researchers who track North Korean hackers later backed up her assessment when I sent them the script and videoconferencing link.
“Tell him Tay says hi lol,” Monahan said, referring to the North Korean who came after me.
Monahan and other security researchers have responded to hundreds of cases in the crypto industry involving fake videoconference calls. The scheme is formulaic but effective.
Hackers take control of a real person’s Telegram account and then reach out to their contacts. Those contacts are asked to log on to a video call, where, invariably, the audio doesn’t work. The victims are asked to run an update to fix the sound problem. When they run the script, the hackers gain access to the victims’ crypto, passwords—and Telegram account. In fact, the same group of North Koreans that targeted me were behind a hack designed to exploit software developers writ large, Google said in a report published Wednesday.
I’m no Lamborghini-driving Bitcoin investor, but North Korea doesn’t just target the wealthy, Monahan told me. She’s seen hackers go after an increasing number of crypto journalists, likely because their Telegram accounts have a substantial Rolodex. Some of these contacts are, in all probability, rolling in crypto riches.
Like a virus that hijacks healthy cells, the hackers corrupt these newly compromised accounts and target the users’ contacts. That’s how I was almost infected. I was lulled into a sense of safety because I thought I was talking to someone I knew.
‘Fake me’
After I wiped my laptop, changed my passwords, and thanked Fortune’s IT administrator profusely, I eventually called my source on his cell phone. Unsurprisingly, his Telegram account had been hacked in early March. “I had a lot of contacts on Telegram that I didn’t have stored on my phone or my computer,” he said. “But to me, even more than that, you feel violated knowing someone out there [is] impersonating you, basically using your name to con people.”
Although he had reached out to Telegram multiple times for help over three weeks, he hadn’t received a response. (“While Telegram does everything it can to protect its accounts, it is not possible for any platform to protect users who are tricked into providing their log-in details to bad actors,” a spokesperson told me in a statement, adding that the app froze the hedge fund investor’s account after I had reached out.)
I also called the real Swick. Hackers had been impersonating him over Telegram since early February, and the former MARA Holdings executive had received scores of texts and calls asking him why he wanted to set up meetings. He was always apologetic. “But a few of them have called me out, ‘Dude, what are you apologizing for?’” Swick said. “And I’m like, ‘I don’t know. I’m apologizing for fake me, I guess. I’m so sorry this happened.’”
Swick didn’t know why hackers were impersonating him, and my source, the hedge fund investor, didn’t know how his Telegram account had been compromised. But at the end of our phone call, the investor and I stumbled upon a potential answer.
A fake Swick was one of the last people that the investor had spoken with before his Telegram account was hacked. “I hopped on a Zoom with him, and his audio wouldn’t connect,” said my source. “I vaguely remember trying to download something.”
In other words, my source was likely targeted by the same hackers who went after me. After he and I realized that his laptop was potentially corrupted, the hedge fund investor hung up and wiped his computer.
I reached out to the fake Adam Swick on Telegram. “Is this account controlled by someone affiliated with the DPRK?” I wrote.
I still haven’t received a response.
