A North Korean aligned cybercrime group has been observed using artificial intelligence tools to significantly scale up its hacking operations, enabling what researchers describe as relatively unskilled operators to carry out sophisticated malware campaigns and steal millions of dollars in cryptocurrency. The group, identified by cybersecurity firm Expel as HexagonalRodent, reportedly compromised more than 2,000 computers in a targeted campaign focused on developers working on cryptocurrency launches, NFT projects, and Web3 platforms. The operation demonstrates how generative AI tools are increasingly being used not for hypothetical future attacks, but for active and ongoing cybercrime activity that delivers real financial impact.
According to Expel’s findings, the hackers leveraged AI tools including those from OpenAI, Cursor, and Anima to “vibe code” nearly every stage of their intrusion chain. This included writing malware, designing fake company websites, and building phishing infrastructure used to deceive victims through fraudulent job opportunities. Victims were typically approached with fake recruitment offers from fabricated tech companies, complete with AI-generated websites and coding assignments. Once downloaded, these assignments installed malware that extracted sensitive credentials and, in some cases, provided access to cryptocurrency wallets holding significant digital assets. The campaign is estimated to have generated as much as 12 million dollars in stolen cryptocurrency over a three month period.
Security researchers noted that despite the effectiveness of the operation, the threat actors made operational mistakes that exposed parts of their infrastructure. This included leaking prompts used in AI systems such as ChatGPT and Cursor, as well as revealing databases used to track victim wallets. These exposed elements allowed analysts to estimate potential losses and better understand the scale of the campaign. Further investigation into the malware showed extensive AI generated characteristics, including detailed English language comments and embedded emojis, which are unusual for traditionally structured malware code associated with North Korean operators. Researchers also identified command and control infrastructure linked to known North Korean cyber activity, reinforcing attribution to state aligned operations.
The malware itself was deployed in multi stage infection chains and designed for credential theft and system infiltration. It enabled attackers to access sensitive information such as login credentials and private keys associated with cryptocurrency holdings. Analysts also highlighted that the campaign’s targeting strategy focused on individual developers rather than large enterprises, allowing attackers to bypass more advanced enterprise level security systems. According to cybersecurity experts, this approach allowed the group to operate effectively in environments where endpoint detection and response systems were either absent or limited in deployment. The use of AI tools significantly reduced the technical barrier for execution, enabling operators with limited coding experience to participate in complex cyber intrusion activities.
Researchers further noted that North Korea’s cyber operations are increasingly integrating generative AI across multiple stages of attack development, including phishing, infrastructure creation, and malware refinement. Reports from OpenAI and Anthropic confirm that suspected North Korean actors have used AI systems to support fraudulent IT worker schemes, generate technical responses during interviews, and develop malicious code. Security firms also observed the use of deepfake tools for identity manipulation and AI generated resumes to support infiltration into technology companies. While AI companies have taken steps to block malicious usage, researchers warn that the technology is acting as a force multiplier for state aligned cyber operations, increasing both the speed and scale of attacks while lowering entry barriers for less skilled operators.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
