North Korea-linked hackers are using AI-assisted malware and backdoored coding challenges to quietly loot millions in cryptocurrency from Web3 developers.
Expel assesses with high confidence that HexagonalRodent is a DPRK state-sponsored subgroup that likely evolved from fraudulent IT worker operations before pivoting fully to malware-driven theft.
In just three months, the group exfiltrated data from 26,584 cryptocurrency wallets on 2,726 infected developer systems, exposing up to 12 million USD in assets, though hardware security tokens appear to have limited the losses.
While financially motivated, the operators share tooling, tradecraft, and infrastructure patterns with other Lazarus-aligned APTs such as Famous Chollima.
The activity cluster, tracked as Expel‑TA‑0001 and nicknamed HexagonalRodent, appears to be a sub‑group of the larger Lazarus ecosystem, with a sharp focus on stealing digital assets rather than classic espionage.
The group leans heavily on three malware families: BeaverTail and OtterCookie, both NodeJS-based multipurpose toolkits with password stealing, file access, and reverse shell capabilities, and InvisibleFerret, a Python-based reverse shell.
HexagonalRodent’s primary access vector is social engineering Web3 developers with fake high‑paying job offers on platforms like LinkedIn and niche crypto job boards.
Once a target engages, the “recruiter” sends a take‑home coding assessment hosted on Git platforms or as a project archive, which looks like a normal skills test but ships with hidden backdoors.
One key technique abuses VS Code’s tasks.json configuration file, preloading a malicious task with runOn: “folderOpen” so malware executes automatically as soon as the victim opens the project folder in VS Code .
For developers using other editors or safe mode, additional backdoors are embedded directly into the challenge code, triggering when the project is built or executed.
Once active, the malware reaches out to a NodeJS-based command‑and‑control (C2) infrastructure, enabling credential theft, wallet harvesting and full remote control.
Unlike more surgical DPRK units such as Stardust Chollima or Pressure Chollima, which penetrate large exchanges and fintechs, HexagonalRodent focuses on high‑volume compromise of individual developers and small Web3 projects.
Expel found no evidence of lateral movement inside corporate networks; instead, operators concentrate on stealing browser-saved passwords, seed phrases and wallet data directly from developer endpoints.
In March 2026, the group crossed into supply chain territory by compromising the “fast‑draft” extension in the Open VSX ecosystem and using it to distribute OtterCookie malware.
Telemetry tied the extension’s C2 server, 195.201.104[.]53, to OtterCookie infrastructure already attributed to HexagonalRodent, and Expel confirmed that an account matching the extension author was infected days before the malicious update went live.
Expel’s investigation shows HexagonalRodent is deeply invested in generative AI throughout its operations, from writing malware loaders to polishing phishing lures and building fake company websites.
The fake C-suites would be listed on the company’s LinkedIn page, and often its website too.
Telemetry linked the group to the use of ChatGPT and Cursor, with both vendors confirming they blocked identified accounts after notifications and found mainly “dual‑use” security and development queries rather than large‑scale automated malware generation.
A 2025 Anthropic report also documented DPRK-linked attempts to register Claude accounts, allegedly to refine BeaverTail, OtterCookie, and InvisibleFerret, although those accounts were banned before any prompts were submitted.
By reversing multiple ReactJS-based C2 and management panels, Expel reconstructed HexagonalRodent’s internal structure and workflow.
The next panel we found was a browser-based remote control utility. It provided the threat actor with VNC-like capabilities (the ability to view the victim’s screen, as well as control their keyboard, mouse, and clipboard).
Expel additionally observed the actors prompting commercial AI models to “audit” their own backdoored coding assessments, likely to make them less detectable to other developers using AI-assisted code review .
The panels include real-time infostealer views, remote desktop-like control, browser-based file explorers, and a “workflow” dashboard that tracks crypto wallets and balances per operator and team.
Hardcoded fields such as t (team ID) and userKey (member identifier) in OtterCookie samples line up with panel logic that groups wallets by team and system hostname, indicating at least six active teams and 31 distinct campaign IDs.
Interestingly, one panel appears to function less as C2 and more as a workforce tracker, ranking teams like “6team”, “7team” and “101team” by wallet haul and showing “admin” views across all operators, echoing reporting on DPRK’s broader use of performance dashboards for fraudulent IT workers.
Between January 1 and March 31, 2026, these teams ingested wallet public keys worth up to 12 million USD, with confirmed flows from at least 13 victim wallets into a known DPRK-controlled Ethereum address that has received over 1.1 million USD since 2023.
For now, HexagonalRodent’s AI-assisted Lazarus tradecraft shows that relatively unsophisticated, noisy malware if industrialized, automated and paired with convincing social engineering can still inflict major financial damage on the Web3 ecosystem.
Follow us on Google News , LinkedIn , and X to Get Instant Updates and Set GBH as a Preferred Source in Google .
Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.
GitLab has released emergency security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise…
The Harvester APT group has quietly expanded its espionage arsenal with a new Linux variant…
Malicious npm package js-logger-pack is now abusing Hugging Face not just as a malware CDN, but also…
A newly discovered Linux variant of the GoGra backdoor is being used by the Harvester…
A critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module was exploited in active…
North Korean threat actors are once again leveraging deceptive remote work schemes to infiltrate global…