North Korean hacker group "HexagonalRodent" uses AI to industrialize attacks on Web3 developers, stealing over $12 million in crypto assets in three months

Deep Tide TechFlow News: On April 24, according to a research report from cybersecurity firm Expel, it is tracking a highly assessed North Korea (DPRK) state-sponsored APT group called “HexagonalRodent.” The group primarily targets Web3 developers and specializes in stealing high-value digital assets such as cryptocurrencies and NFTs. In the first three months of 2026, the group has stolen access to 26,584 crypto wallets from 2,726 infected developer devices, involving total assets worth up to $12 million.

The group mainly carries out attacks by forging recruitment information—posting high-paying positions on LinkedIn and Web3 hiring platforms to lure job seekers into completing “skill tests” with malicious code embedded. It then uses VSCode’s tasks.json feature to automatically execute malicious programs when victims open project folders. The malware used includes BeaverTail, OtterCookie, and InvisibleFerret, which have capabilities such as password theft, remote control, and reverse shells.

Of particular note, the group heavily uses generative AI tools such as ChatGPT and Cursor to develop malware, build fake company websites, and create AI-generated executive teams. It has even registered shell companies in Mexico to enhance the credibility of the attacks. In addition, the group recently carried out its first supply chain attack, successfully compromising the VSCode extension “fast-draft” to distribute malware.