Advent AI-powered hacking tools have raised fears of a near future where anyone can exploit automated tools to find exploitable vulnerabilities in any software, becoming something of a digital hacking superpower. Today, however, AI appears to be playing a more mundane, if still troubling, role in hackers’ toolkits: helping average hackers level up and launch broad, effective malware campaigns. This includes one group of relatively unskilled North Korean cybercriminals who were discovered using artificial intelligence to carry out virtually every part of an operation that hacked thousands of victims to steal their cryptocurrency.
Cybersecurity firm Expel on Wednesday revealed what it describes as a state-sponsored North Korean cybercrime operation that has installed credential-stealing malware on more than 2,000 computers, specifically targeting machines of developers working on tiny cryptocurrency launches, NFT creation, and Web3 projects. Using artificial intelligence tools from U.S.-based companies including OpenAI, Cursor and Anima, the hacker group – which Expel calls HexagonalRodent – “vibe-codes” almost every part of its intrusion campaign, from writing malware to creating phony company websites used in phishing schemes. Artificial intelligence hacking allowed the group to steal cryptocurrency worth as much as $12 million from victims over three months.
What’s most striking about the HexagonalRodent hacking campaign isn’t its sophistication, says Marcus Hutchins, the security researcher who discovered the group, but rather how artificial intelligence tools enabled a seemingly unsophisticated group to go on a profitable theft spree in the service of the North Korean state.
“These operators don’t have the skills to write code. They don’t have the skills to configure the infrastructure. The artificial intelligence actually enables them to do things that they simply wouldn’t be able to do otherwise,” says Hutchins, who became well-known in the cybersecurity community after disabling the WannaCry ransomware worm created by North Korean hackers.
Code written by artificial intelligence full of emoticons
The HexagonalRodent hacking operation focused on defrauding cryptocurrency developers with phony job offers at tech companies, even going so far as to create full websites for phony companies recruiting victims, often created using AI-powered website design tools. Ultimately, the victim was told they would have to download and complete an encoding task as part of the test, which the hackers infected with malware that infiltrated their computer and stole credentials, including those that in some cases could have provided access to the keys that controlled their crypto wallets.
These elements of the hacking operation appear to have been well-honed and effective, but the hackers were also clumsy enough to leave parts of their own infrastructure unsecured, exposing the hints they used to write malware using tools including ChatGPT and OpenAI’s Cursor. They also released a database where they tracked victims’ wallets, which allowed Expel to estimate the total amount of cryptocurrency the hackers may have stolen. (Although the total contents of these wallets amounted to $12 million, Hutchins says the company was unable to confirm for each target whether the entire sum had already been exhausted from the wallets or whether, in some cases, hackers still needed to obtain the keys to the victims’ wallets, given that some may have been protected by hardware security tokens).
Hutchins also analyzed samples of the hackers’ malware and found other clues that it was largely – or perhaps entirely – created using artificial intelligence. It was thoroughly annotated – in English – which bore no resemblance to the North Koreans’ typical coding habits, despite the fact that some malware command-and-control servers had linked them to known North Korean hacking operations. The malware’s code was also littered with emojis, which Hutchins notes could, in some cases, serve as an indication that the software was written using a huge language model, given that programmers typing on a computer keyboard rather than on a phone rarely take the time to insert emojis. “It’s a pretty well-documented sign of code written by artificial intelligence,” Hutchins says.