Fortune reporter Leo Schwartz thought he was being pitched a routine crypto meeting in mid-March. Instead, the chain of messages and links that followed led to a suspected North Korean phishing attempt, a dangerous download on his computer and a late-night sprint to IT when his machine started exposing a vulnerability.
The warning came in late March from Fortune’s IT administrator, who wrote that there was a process exposing a vulnerability and that he needed to kill it. Schwartz later learned that a file he downloaded at 11:04 a.m. could monitor his keyboard strokes, record his screen, see his passwords and access his apps. He texted his editor, “I think I may have been phished by the DPRK lol.”
The encounter began when a hedge fund investor messaged Schwartz on Telegram and asked whether he wanted to meet Adam Swick, whom the investor described as having been the chief strategy officer at Bitcoin miner MARA Holdings. The investor said Swick was exploring the creation of a new digital asset treasury and had a potential large seed investor. Schwartz was put into a Telegram group chat, and Swick asked him to book a call.
One week later, the hedge fund source sent what appeared to be a Zoom link. Schwartz clicked it and a program launched that looked like the Zoom he uses every day, but the audio did not work and he was prompted to update the software to fix the sound issue. Swick wrote, “Looks like Zoom is acting up on your end.” Schwartz clicked to download the update, then noticed the browser link was not the same as the one sent in Telegram. He asked to move the meeting to Google Meet and wrote, “This is giving me scam vibes,” to Swick and the hedge fund investor. Swick replied, “No worry. I just tried it on my PC.”
Schwartz decided not to run the script on his MacBook and fled the Zoom meeting. Over Telegram, he wrote, “If you want to talk to me, let’s do it over Google Meet,” and the source promptly kicked him out of the group chat. As he rushed out of his apartment to visit IT, he messaged Taylor Monahan, a veteran security researcher and member of SEAL 911, a volunteer group that helps victims.
The episode lands in the middle of a long-running North Korean campaign against the crypto industry. The article says hackers tied to the North Korean army accumulated $2 billion in stolen crypto in 2025, about 50% more than the year before. North Korean hackers have been tormenting the crypto industry for years, and the state has used that theft to help pay its bills after sanctions cut it off from the global financial system. One tactic is persuading companies to hire North Koreans as IT workers, while another is the kind of deception aimed at American investors that Schwartz stumbled into.
For Schwartz, the story is not just that a phishing message arrived in his inbox. It is that a polished pitch, a fake video call and a mislabeled download were enough to turn an ordinary workday into a security incident. The next question is less about whether North Korean hackers are still trying this and more about how many other investors and reporters are clicking before they notice the seams.
