A North Korean state-sponsored operation, HexagonalRodent, used AI tools to automate nearly every step of its intrusion campaign against crypto developers, stealing as much as $12 million in just three months.

Experts warn that defenders should prioritize countering current AI-enabled hacking, focusing on speed, scale, and real-world impact rather than speculative future vulnerabilities.

AI-powered tooling enabled an allegedly unsophisticated group to write malware, build infrastructure, and conduct phishing at scale, aided by platforms like OpenAI, Cursor, and Anima.

Major AI providers have observed North Korean misuse of their tools, with some accounts banned or uses blocked, while others pursue measures to curb abuse.

Code samples show heavy AI authorship with emoji-laden comments and malware patterns aligned with known North Korean campaigns.

Some infrastructure and prompts, including a wallet-tracking database, were exposed, allowing estimation of total theft and leaving questions about whether all funds were drained.

North Korea has established or is developing AI-focused hacking tools through centers such as Research Center 227 and relies on off-the-shelf AI tools for daily operations, including AI-assisted resumes, recruitment, and exploit development.

The attackers created fake company websites, used AI-generated resumes and phishing, and embedded malware in coding test assignments to exfiltrate credentials and crypto keys.

HexagonalRodent reportedly involved up to 31 hackers, with operations expanding as AI increased speed and access to tools, lowering traditional skill barriers.

North Korea’s cyber operations are broad and state-funded, resembling a sanctioned crime syndicate that supports nuclear ambitions and sanctions evasion.