North Korean Hackers Use AI to Steal Millions

While visions of AI-powered super-hackers exploiting any software flaw remain a future concern, the technology is already reshaping cybercrime in a more immediate way. It is empowering less skilled actors to launch surprisingly effective attacks. A recent investigation has uncovered a North Korean state-sponsored hacking group using widely available AI tools to orchestrate a multi-million dollar cryptocurrency theft campaign, demonstrating how artificial intelligence is lowering the barrier to entry for sophisticated cyber operations.

Cybersecurity firm Expel detailed the operation this week, attributing it to a group they call HexagonalRodent. The campaign infected over 2,000 computers with credential-stealing malware, specifically targeting developers involved in cryptocurrency, NFT, and Web3 projects. By leveraging AI platforms from U. S. companies like OpenAI and Cursor, the group automated nearly every phase of their attack. They used these tools to write malicious code, design phishing websites, and build out fake company profiles used in their schemes. This AI-enabled hacking approach allowed them to steal an estimated $12 million in cryptocurrency within just three months.

Security researcher Marcus Hutchins, who identified the group, emphasizes that the campaign’s significance lies not in its technical brilliance but in its demonstration of AI as a force multiplier. “These operators don’t have the skills to write code. They don’t have the skills to set up infrastructure. AI is actually enabling them to do things that they otherwise just would not be able to do,” Hutchins stated. He gained recognition for previously neutralizing the WannaCry ransomware, which was also linked to North Korean hackers.

The operation employed a social engineering ruse, luring developers with fake job offers at fabricated tech companies. The hackers created convincing, AI-designed websites for these fictitious firms. As part of the recruitment process, targets were asked to complete a coding test, which was actually malware designed to infiltrate their systems and steal sensitive credentials, including those for cryptocurrency wallets.

Despite the campaign’s overall effectiveness, the hackers made critical operational security errors. They left parts of their own infrastructure exposed, inadvertently revealing the AI prompts used to generate their malware. They also failed to secure a database tracking victim wallets, which provided Expel with the data to estimate the total theft. Hutchins notes that while the associated wallets held $12 million, it is unclear in every case whether the hackers had already fully drained the funds or were still attempting to access wallets protected by additional security measures.

Forensic analysis of the malware itself provided further evidence of heavy AI use. The code was extensively annotated with comments in English, an unusual practice for North Korean programmers. More tellingly, the scripts were littered with emojis, a hallmark often associated with code generated by large language models, as human programmers working on PCs rarely insert them. “It’s a pretty well-documented sign of AI-written code,” Hutchins confirmed. These clues, alongside infrastructure links to known North Korean operations, painted a clear picture of a relatively unskilled team leveraging artificial intelligence to conduct a high-stakes, state-aligned cybercrime spree.