Zoth's April 2025 incident report says attackers used social engineering against a service provider to gain access to the Zoth deployer wallet and perform an unauthorized contract upgrade against the ZeUSD platform. The malicious upgrade used upgradeToAndCall and delegatecall to alter proxy behavior, draining one USD0++ sub-vault for about $8.45 million before Zoth froze roughly $20 million in other sub-vault assets. Crystal Intelligence and forensic investigators found repeated attack attempts, wallet funding through HTX and ChangeNOW, bridges and VPNs used to obscure movement, and endpoint evidence of fileless WMI-linked malware and suspicious services. The source does not attribute the incident to Lazarus or another DPRK actor, but it provides useful detail on privileged-wallet compromise, malicious upgrade abuse, and post-theft tracing.