The cybersecurity world is often preoccupied with a “doomsday” scenario: an advanced, autonomous AI that can bypass any firewall like a digital superpower. However, a recent investigation reveals a much more immediate and practical threat. Rather than creating “super-hackers,” generative AI is acting as a force multiplier for mediocre, unskilled criminals, allowing them to execute highly profitable and large-scale operations.
A recent report by cybersecurity firm Expel has uncovered a North Korean state-sponsored group, dubbed “HexagonalRodent,” which used commercial AI tools to steal an estimated $12 million in cryptocurrency in just three months.
The “Vibe Coding” Campaign
The HexagonalRodent operation was not defined by technical brilliance, but by its clever use of readily available AI tools from companies like OpenAI, Cursor, and Anima. The group targeted a specific niche: developers working on small-scale Web3, NFT, and cryptocurrency projects.
The hackers utilized a sophisticated social engineering tactic:
1. Fake Recruitment: They used AI web design tools to build professional-looking websites for fraudulent tech companies.
2. Phishing via “Tests”: They lured victims with fake job offers, eventually asking them to complete a “coding assignment.”
3. Malware Injection: These assignments were infected with credential-stealing malware designed to hijack crypto wallets.
“These operators don’t have the skills to write code… AI is actually enabling them to do things that they otherwise just would not be able to do,” says Marcus Hutchins, the security researcher who discovered the group.
Digital Fingerprints: Emojis and English
Despite their success, the hackers left behind unmistakable clues that their work was AI-generated. Security researchers noted several “tells” in the malware:
– Emoji-Littered Code: The malware contained frequent use of emojis—a common quirk of Large Language Models (LLMs) that professional programmers rarely use in manual coding.
– Uncharacteristic Annotations: The code was heavily annotated with English comments, which is atypical for North Korean operators but standard for AI-generated outputs.
– Standard Patterns: While the malware followed predictable patterns that modern security tools should detect, the hackers successfully evaded notice by targeting individual developers who lacked enterprise-grade “endpoint detection and response” (EDR) software.
A Force Multiplier for a “Crime Syndicate”
This discovery highlights a critical shift in how North Korea conducts cyber warfare. The regime faces a structural challenge: it has a massive pool of low-skilled IT workers but a very limited number of elite hackers.
AI solves this problem by allowing the state to scale its operations without increasing its expertise. Instead of needing a full development team, a single mediocre operator can use AI to write exploits, build websites, and polish social engineering scripts. This has turned North Korean cyber operations into something resembling a state-sanctioned crime syndicate, using stolen funds to bypass international sanctions and fund national interests, including nuclear programs.
The Industry’s Blind Spot
The broader implications for the cybersecurity industry are significant. While much of the current debate focuses on the future risk of “autonomous hacking AI,” the real danger is happening right now through the misuse of existing, commercial tools.
Major AI providers are already fighting back. OpenAI and Anthropic have both reported detecting and banning North Korean accounts. Cursor and Anima are also working to block malicious actors from using their platforms.
However, as long as these tools remain accessible, they will continue to lower the barrier to entry for cybercrime. The threat is not a hypothetical “Skynet”; it is the ability of unskilled actors to move with unprecedented speed and scale.
Conclusion: AI is not necessarily creating more sophisticated hackers, but it is enabling mediocre ones to operate at a professional level, turning low-skill cybercrime into a high-yield, state-sponsored industry.
