The emergence of AI hacking tools has sparked concerns about a future where individuals can easily utilize automated tools to uncover exploitable vulnerabilities in various software, effectively granting them a form of digital superpower. In the current landscape, however, AI is playing a more commonplace, albeit troubling, role in the arsenal of hackers. It is empowering less skilled actors to enhance their capabilities and conduct extensive, efficient malware campaigns. A notable example involves a group of relatively inexperienced North Korean cybercriminals who have been found using AI to execute nearly every aspect of an operation that compromised thousands of individuals to steal their cryptocurrency.
On Wednesday, cybersecurity company Expel uncovered what it describes as a state-sponsored cybercrime effort from North Korea, which installed credential-stealing malware on more than 2,000 computers. The operation specifically targeted developers engaged in cryptocurrency startups, NFT development, and Web3 projects. Utilizing AI tools from US-based companies, such as OpenAI, Cursor, and Anima, this hacker group—referred to by Expel as HexagonalRodent—“vibe coded” nearly every facet of its intrusion campaign, from composing their malware to crafting counterfeit websites used in phishing operations. This AI-driven hacking approach enabled the group to pilfer as much as $12 million in cryptocurrency from victims over a three-month period.
What stands out about the HexagonalRodent operation isn’t its technical proficiency, according to Marcus Hutchins, the security researcher who identified the group, but rather how AI tools have empowered a seemingly unskilled group to execute a lucrative theft operation that serves the North Korean regime.
“These operators lack the skills to code or set up infrastructure. AI is enabling them to achieve tasks they otherwise wouldn’t be able to handle,” states Hutchins, who gained notoriety in the cybersecurity field after neutralizing the WannaCry ransomware worm created by North Korean hackers.
Emoji-Infused, AI-Generated Code
HexagonalRodent’s hacking scheme specifically aimed to deceive cryptocurrency developers through fraudulent job offers at tech companies. They even went so far as to design entire websites for these fake firms, often employing AI web design tools. Eventually, victims were instructed to download and complete a coding assignment as a part of the hiring process—an assignment that had been infected with malware designed to compromise their machines and steal sensitive credentials, including those that could provide access to their cryptocurrency wallet keys.
While these elements of the hacking campaign showed considerable effectiveness, the hackers also demonstrated a level of negligence by leaving portions of their own infrastructure unsecured. This resulted in the exposure of the prompts they used to generate their malware via tools like OpenAI’s ChatGPT and Cursor. They also accidentally leaked a database that tracked victim wallets, enabling Expel to estimate the total cryptocurrency stolen. Although the contents of those wallets totaled approximately $12 million, Hutchins notes that the company could not definitively ascertain whether each target had completely drained their wallets or if the hackers were still in the process of obtaining access keys, particularly in cases where hardware security tokens protected some wallets.
Hutchins also examined samples of the hackers’ malware and uncovered additional indications that it was largely or perhaps entirely created using AI. The code included extensive commentary in English—a coding style atypical among North Koreans, even as some command-and-control servers linked the malware to known North Korean operations. Additionally, the code was embellished with emojis, which Hutchins emphasizes can sometimes indicate that software was produced by a large language model, as programmers typically do not take the time to insert emojis when typing on a standard PC keyboard. “This is a well-documented sign of AI-written code,” Hutchins concludes.
In conclusion, the infiltration by HexagonalRodent illustrates the evolving landscape of cybercrime, where even less skilled individuals can leverage advanced AI tools to execute substantial thefts. As the capabilities of these technologies continue to grow, the threat they pose to individuals and organizations becomes increasingly significant.
