The AI Multiplier: How North Korea’s “HexagonalRodent” Turned ChatGPT into a $12M Crypto Heist

Inexperienced North Korean cyber operatives have successfully exfiltrated millions of dollars in cryptocurrency over a span of several months. This feat was achieved not through the deployment of novel malware or the exploitation of sophisticated vulnerabilities, but rather by leveraging commonplace artificial intelligence tools.

Specialists from Expel have detailed the activities of HexagonalRodent, a collective with ties to the DPRK authorities. The group infected over 2,000 workstations, primarily targeting developers immersed in cryptocurrency, NFTs, and Web3 initiatives. Within a mere three-month window, these incursions yielded approximately $12 million in digital assets.

The operatives orchestrated nearly the entirety of their campaign using off-the-shelf artificial intelligence services from American enterprises, including OpenAI, Cursor, and Anima. Through these instruments, the hackers authored malicious code, fabricated deceptive websites, and architected intricate phishing stratagems.

Developers were targeted with fraudulent employment solicitations issued on behalf of fictitious entities. To bolster the illusion of legitimacy, the group constructed comprehensive websites detailing various vacancies. Subsequently, victims were invited to complete a technical assessment that required downloading a source code file. Concealed within this file was a malicious payload designed to harvest credentials and, in certain instances, secure access to private cryptocurrency wallet keys.

Despite their financial success, the hackers exhibited a lack of operational discipline. They inadvertently left segments of their infrastructure exposed and even revealed the specific prompts used to generate code within ChatGPT and other platforms. Investigators also unearthed a database containing the victims’ wallet addresses, facilitating an accurate estimation of the total theft.

Forensic analysis of the malicious code revealed quintessential hallmarks of AI generation, characterized by an abundance of English-language comments and even emojis—features starkly uncharacteristic of traditional professional development. Furthermore, the code adhered to predictable malware templates detectable by standard security measures. However, the attacks targeted individual developers who often lack such defensive systems.

Experts suggest that the pivotal element of this campaign is not the complexity of the assault, but the fact that artificial intelligence empowered unrefined individuals to execute tasks formerly requiring significant expertise. North Korea has long utilized a network of IT professionals operating under pseudonyms to conduct cyber operations; now, these campaigns can enlist a broader workforce devoid of rigorous technical training.

Expel estimates that the campaign involved 31 individuals. Previously, an offensive of this magnitude would have necessitated a full-scale development team; today, mere access to generative AI tools suffices. The activity of HexagonalRodent is but a single facet of North Korea’s broader cyber landscape, which encompasses systematic cryptocurrency theft, ransomware deployment, and espionage to bypass international sanctions and fund state projects. Artificial intelligence has become an indispensable utility for such groups, aiding in the fabrication of documents, the refinement of social engineering narratives, and the construction of offensive infrastructure. In response, OpenAI and Anima have affirmed that they are actively terminating malicious accounts and refining restrictions to thwart such exploitation.