AI Tools Empowering Average North Korean Hackers to Exfiltrate Millions

The emergence of AI hacking tools has sparked concerns about a near future where anyone can deploy automated methods to uncover exploitable weaknesses in software, akin to a form of digital superpower. Currently, however, AI appears to be serving a more commonplace, yet still troubling, function within hackers’ arsenals: assisting less-skilled hackers in enhancing their capabilities and executing widespread, effective malware campaigns. This includes a group of relatively untrained North Korean cybercriminals who have been found utilizing AI to manage nearly every aspect of an operation that compromised thousands of victims to steal their cryptocurrency.

On Wednesday, cybersecurity firm Expel disclosed what it describes as a state-sponsored North Korean cybercrime initiative that installed credential-stealing malware on over 2,000 computers, specifically aiming at the machines used by developers engaged in small cryptocurrency launches, NFT creation, and Web3 projects. By leveraging AI tools from US-based companies, including OpenAI, Cursor, and Anima, the hacker group known as HexagonalRodent has “vibe coded” nearly every element of its intrusion campaign, from crafting their malware to developing fraudulent websites for phishing operations. This AI-powered hacking allowed them to pilfer as much as $12 million in cryptocurrency from victims within just three months.

According to Marcus Hutchins, the security researcher who uncovered the HexagonalRodent group, the most remarkable aspect of this hacking operation is not its complexity, but rather how AI tools enabled a seemingly inept group to execute a lucrative theft spree on behalf of the North Korean regime.

“These operators lack the skills to write code or establish infrastructure. AI is actually empowering them to accomplish tasks they wouldn’t be capable of on their own,” Hutchins states, who gained recognition in the cybersecurity field after neutralizing the WannaCry ransomware worm devised by North Korean hackers.

Emoji-Filled, AI-Generated Code

The focus of HexagonalRodent’s hacking operation was to deceive crypto developers with phony job offers at tech companies, even going to the extent of creating complete websites for the fraudulent firms recruiting victims, often developed using AI web design tools. Ultimately, victims were instructed to download and finish a coding assignment as part of a test—which was infected with malware that infiltrated their machines and harvested credentials, including those that might grant access to the keys controlling their crypto wallets.

While these components of the hacking scheme were notably effective, the hackers also made mistakes by leaving various parts of their own infrastructure unsecured, which led to the exposure of the prompts they used to generate their malware with tools like OpenAI’s ChatGPT and Cursor. They also revealed a database tracking victim wallets, enabling Expel to approximate the total cryptocurrency stolen by the hackers. (Although the total value of those wallets amounted to $12 million, Hutchins notes that the company couldn’t verify whether the entire amount had been extracted from each target’s wallet or if some still required the keys to access them, especially since some may have been secured with hardware tokens.)

Hutchins further examined samples of the hackers’ malware and found additional evidence suggesting it was primarily—if not entirely—crafted with AI. The code was extensively annotated with comments—in English—uncharacteristic of the typical programming habits of North Koreans, despite some command-and-control servers linking them to known North Korean hacking operations. The malware’s code also featured an abundance of emojis, which Hutchins highlights can signal that the software was authored by a large language model, as programmers coding on a standard PC keyboard seldom take the time to include emojis. “It’s a well-documented indicator of AI-written code,” Hutchins remarks.