North Korea accused of attacking crypto wallet, while novel threat campaign targets Obsidian app

Published: 16 April 2026
Obsidian app
Obsidian app. Photo illustration by Timon Schneider/SOPA Images/LightRocket/Getty Images

While old threat vectors are being exploited in the crypto industry, making a popular wallet the latest victim, a novel campaign abusing a popular note-taking application has been found.

On Wednesday, the Zerion wallet disclosed that after their team members' devices were compromised, Democratic People's Republic of Korea (DPRK)-linked criminals managed to steal $100,000 worth of unspecified crypto assets from the company's hot wallets.

The team claims that it was an AI-enabled social engineering attack.

ADVERTISEMENT

Has your password leaked?

Enter your password to check if it has leaked. Having a leaked password creates the risk of identity theft, financial damages, and worse!
35,607,543,468
Exposed Passwords
Ad
Protect your personal information from cybercriminals and get 50% off the top-rated password manager
Learn More
link_title link_title

"This allowed the attacker to gain access to some of the team members’ logged-in sessions and credentials as well as private keys to company hot wallets used for testing and internal purposes," Zerion said, adding that the criminals were "clearly sophisticated and well-resourced."

The team encouraged everyone in the crypto industry to verify all links carefully, treat unexpected permission prompts with suspicion, and be wary of AI-generated video in meeting scenarios.

Meanwhile, cybersecurity firm Elastic Security Labs said it has uncovered a social engineering campaign on LinkedIn and Telegram that abuses Obsidian's legitimate community plugin ecosystem, specifically the Shell Commands and Hider plugins, to execute code when a victim opens a shared cloud vault.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

According to the findings, the criminals behind this campaign pose as a venture capital firm and target victims in the financial and crypto industries on LinkedIn, tricking them into using Obsidian, which they claim is the firm's "management database."

With the provided credentials, the potential victim connects to a cloud-hosted vault controlled by the attacker, after which the trojanized plugins execute the attack chain.

"By abusing Obsidian's community plugin ecosystem rather than exploiting a software vulnerability, the attackers bypass traditional security controls entirely, relying on the application's intended functionality to execute arbitrary code," Elastic Security Labs concluded, urging organizations to be aware that legitimate productivity tools can be turned into attack vectors.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked