A North Korean state-sponsored hacking group used AI tools to carry out a large-scale cryptocurrency theft campaign, stealing as much as $12 million from more than 2,000 victims over three months, cybersecurity firm Expel revealed in April 2026.
The group, which Expel calls HexagonalRodent, targeted developers working on small cryptocurrency launches, NFT creation, and Web3 projects. Hackers lured victims with fraudulent job offers, building fake company websites — many created using AI web design tools — to add legitimacy to their phishing schemes. Victims were eventually asked to download a coding assignment as part of a supposed hiring test, which was infected with credential-stealing malware that could access the keys controlling their crypto wallets.
Security researcher Marcus Hutchins, who discovered the group and is known for disabling the WannaCry ransomware worm linked to North Korean hackers, said what stands out is not the campaign’s sophistication but how AI enabled an unskilled group to execute it at all. “These operators don’t have the skills to write code. They don’t have the skills to set up infrastructure. AI is actually enabling them to do things that they otherwise just would not be able to do,” Hutchins said.
The hackers used AI tools from US-based companies including OpenAI, Cursor, and Anima to “vibe code” nearly every component of the operation, from writing malware to constructing phishing websites. The group’s lack of skill was also evident in their mistakes — they left parts of their infrastructure unsecured, exposing the prompts they used to generate malware and a database tracking victim wallets, which allowed Expel to estimate the total stolen amount.
Hutchins found additional evidence of AI-generated code in the malware itself: it was heavily annotated with comments written in English, unusual for North Korean operators, and was littered with emojis. Hutchins noted that emoji use in code can signal AI authorship, since programmers typing on a PC keyboard rarely insert them manually. “It’s a pretty well-documented sign of AI-written code,” he said. Command-and-control servers for the malware also tied the operation to known North Korean hacking activity.
The case suggests AI tools may be lowering the skill threshold required to conduct effective cybercrime campaigns, allowing less capable actors to carry out operations that generate significant financial returns for state-sponsored programs.
Source: Business Latest