{"id":405488,"date":"2026-04-22T17:47:19","date_gmt":"2026-04-22T17:47:19","guid":{"rendered":"https:\/\/www.newsbeep.com\/il\/405488\/"},"modified":"2026-04-22T17:47:19","modified_gmt":"2026-04-22T17:47:19","slug":"ai-tools-are-helping-mediocre-north-korean-hackers-steal-millions","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/il\/405488\/","title":{"rendered":"AI Tools Are Helping Mediocre North Korean Hackers Steal Millions"},"content":{"rendered":"<p>The advent of AI hacking tools has <a href=\"https:\/\/www.wired.com\/story\/anthropics-mythos-will-force-a-cybersecurity-reckoning-just-not-the-one-you-think\/\" class=\"text link\" rel=\"nofollow noopener\" target=\"_blank\">raised fears of a near future<\/a> in which anyone can use automated tools to dig up exploitable vulnerabilities in <a href=\"https:\/\/www.wired.com\/story\/mozilla-used-anthropics-mythos-to-find-271-bugs-in-firefox\/\" class=\"text link\" rel=\"nofollow noopener\" target=\"_blank\">any piece of software<\/a>, like a kind of digital intrusion superpower. Here in the present, however, AI seems to be playing a more mundane, if still concerning, role in hackers\u2019 toolkit: It\u2019s helping mediocre hackers level up and carry out broad, effective malware campaigns. That includes one group of relatively unskilled North Korean cybercriminals who\u2019ve been discovered using AI to carry out virtually every part of an operation that hacked thousands of victims to steal their cryptocurrency.<\/p>\n<p class=\"paywall\">On Wednesday, cybersecurity firm Expel <a data-offer-url=\"https:\/\/expel.com\/blog\/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers\" class=\"external-link text link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/expel.com\/blog\/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers&quot;}\" href=\"https:\/\/expel.com\/blog\/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers\" rel=\"nofollow noopener\" target=\"_blank\">revealed<\/a> what it describes as a North Korean state-sponsored cybercrime operation that installed credential-stealing malware on more than 2,000 computers, specifically targeting the machines of developers working on small cryptocurrency launches, NFT creation, and Web3 projects. By using the AI tools of US-based companies, including those of OpenAI, Cursor, and Anima, the hacker group\u2014which Expel calls HexagonalRodent\u2014\u201c<a href=\"https:\/\/www.wired.com\/story\/why-did-a-10-billion-dollar-startup-let-me-vibe-code-for-them-and-why-did-i-love-it\/\" class=\"text link\" rel=\"nofollow noopener\" target=\"_blank\">vibe coded<\/a>\u201d almost every part of its intrusion campaign, from writing their malware to building the fake websites of companies used in its phishing schemes. That AI-enabled hacking allowed the group to steal as much as $12 million in cryptocurrency from victims in three months.<\/p>\n<p class=\"paywall\">What\u2019s most striking about the HexagonalRodent hacking campaign isn\u2019t its sophistication, says Marcus Hutchins, the security researcher who discovered the group, but rather how AI tools allowed an apparently unsophisticated group to carry out a profitable theft spree in the service of the North Korean state.<\/p>\n<p class=\"paywall\">\u201cThese operators don&#8217;t have the skills to write code. They don&#8217;t have the skills to set up infrastructure. AI is actually enabling them to do things that they otherwise just would not be able to do,\u201d says Hutchins, who became well-known in the cybersecurity community after <a href=\"https:\/\/www.wired.com\/story\/confessions-marcus-hutchins-hacker-who-saved-the-internet\/\" class=\"text link\" rel=\"nofollow noopener\" target=\"_blank\">disabling the WannaCry ransomware worm<\/a> created by North Korean hackers.<\/p>\n<p>Emoji-Littered, AI-Written Code<\/p>\n<p class=\"paywall\">HexagonalRodent\u2019s hacking operation focused on tricking crypto developers with <a href=\"https:\/\/www.wired.com\/story\/north-korean-it-worker-scams-exposed\/\" class=\"text link\" rel=\"nofollow noopener\" target=\"_blank\">fraudulent job offers<\/a> at tech firms, going so far as to create full websites for the fake companies recruiting the victims, often created with AI web design tools. Eventually, the victim was told they\u2019d have to download and complete a coding assignment as a test\u2014which the hackers had infected with malware that infiltrated their machine and stole credentials, including those that in some cases could grant access to the keys that controlled their crypto wallets.<\/p>\n<p class=\"paywall\">Those parts of the hacking operation appear to have been well-honed and effective, but the hackers were also clumsy enough to leave parts of their own infrastructure unsecured, leaking the prompts they used to write their malware with tools that included OpenAI\u2019s ChatGPT and Cursor. They also exposed a database where they tracked victim wallets, which allowed Expel to estimate the total amount of cryptocurrency the hackers may have stolen. (While those wallets added up to $12 million in total contents, Hutchins says the company couldn\u2019t confirm for each target whether the entire sum had already been drained from the wallets or if the hackers still needed to obtain keys to the victim wallets in some cases, given some may have been protected with hardware security tokens.)<\/p>\n<p class=\"paywall\">Hutchins also analyzed samples of the hackers\u2019 malware and found other clues that it was largely\u2014perhaps entirely\u2014created with AI. It was thoroughly annotated with comments throughout\u2014in English\u2014hardly the typical coding habits of North Koreans, despite the fact that some command-and-control servers for the malware tied them to known North Korean hacking operations. The malware\u2019s code was also littered with emojis, which Hutchins points out can, in some cases, serve as a clue that software was written by a large language model, given that programmers writing on a PC keyboard rather than a phone rarely take the time to insert emojis. \u201cIt&#8217;s a pretty well-documented sign of AI-written code,\u201d Hutchins says.<\/p>\n","protected":false},"excerpt":{"rendered":"The advent of AI hacking tools has raised fears of a near future in which anyone can use&hellip;\n","protected":false},"author":2,"featured_media":405489,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[345,343,344,737,4287,11414,16756,85,46,21416,16010,22008,140,125],"class_list":{"0":"post-405488","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-artificialintelligence","11":"tag-crime","12":"tag-cybersecurity","13":"tag-hacking","14":"tag-hacks","15":"tag-il","16":"tag-israel","17":"tag-malware","18":"tag-north-korea","19":"tag-scams","20":"tag-security","21":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/posts\/405488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/comments?post=405488"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/posts\/405488\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/media\/405489"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/media?parent=405488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/categories?post=405488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/tags?post=405488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}