North Korean hacking group “HexagonalRodent” leverages AI to industrialize attacks against Web3 developers, stealing over $12 million in crypto assets in three months
According to a research report released by cybersecurity firm Expel, the company is tracking an advanced persistent threat (APT) group dubbed “HexagonalRodent,” which is highly assessed to be a North Korean (DPRK) state-sponsored actor. This group primarily targets Web3 developers and specializes in stealing high-value digital assets—including cryptocurrencies and NFTs. In the first quarter of 2026 alone, the group compromised 2,726 developer devices and stole access credentials for 26,584 cryptocurrency wallets, with the total value of stolen assets reaching as high as $12 million.
The group primarily carries out its attacks via fake job postings—publishing lucrative positions on LinkedIn and Web3 recruitment platforms to lure job seekers into completing “skills assessments” embedded with malicious code. These assessments exploit VSCode’s tasks.json functionality to automatically execute malware when victims open the project folder. The malware used includes BeaverTail, OtterCookie, and InvisibleFerret, all of which possess capabilities such as password theft, remote control, and reverse shell execution.
Notably, the group extensively leverages generative AI tools—including ChatGPT and Cursor—to develop malware, build counterfeit corporate websites, and generate AI-forged executive teams. It even registered a shell company in Mexico to enhance the credibility of its operations. Additionally, the group recently carried out its first-ever supply-chain attack, successfully infiltrating a VSCode extension.