惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Register - Security
The Register - Security
云风的 BLOG
云风的 BLOG
U
Unit 42
F
Fortinet All Blogs
The GitHub Blog
The GitHub Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Vercel News
Vercel News
S
Security @ Cisco Blogs
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
I
Intezer
MongoDB | Blog
MongoDB | Blog
AI
AI
MyScale Blog
MyScale Blog
Engineering at Meta
Engineering at Meta
Y
Y Combinator Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
W
WeLiveSecurity
博客园 - 叶小钗
S
SegmentFault 最新的问题
N
News | PayPal Newsroom
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
DataBreaches.Net
小众软件
小众软件
Microsoft Azure Blog
Microsoft Azure Blog
Spread Privacy
Spread Privacy
H
Help Net Security
美团技术团队
博客园 - 司徒正美
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Vulnerabilities – Threatpost
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
L
Lohrmann on Cybersecurity
J
Java Code Geeks
量子位
Martin Fowler
Martin Fowler
博客园_首页

WIRED

‘Avatar: Aang, The Last Airbender’ Leaked Online. Some Fans Say Paramount Deserves the Fallout NASA Wants to Put Nuclear Reactors on the Moon AI Could Democratize One of Tech's Most Valuable Resources Microsoft Surface PCs Are Getting Big Price Hikes, and the Cheaper Models Are Going Away Why Amazon Is Buying Globalstar—and What It Means for Your iPhone The US Government Will Ask Data Centers How Much Power They Use MAGA Is Starting to Look Beyond Trump Allbirds Is Pivoting to AI Compute. Sure, Why Not Best Smart Smoke Detector (and Why You Still Need a Dumb One) 12 Best Standing Desks of 2026, Tested and Reviewed Best Wi-Fi Routers of 2026 for Working, Gaming, and Streaming Best GoPro Camera (2026): Compact, Budget, Accessories The Caves That Could Help Us Find, or Become, Aliens AI Slop Is Making the Internet Fake-Happy The Deepfake Nudes Crisis in Schools Is Much Worse Than You Thought In the Wake of Anthropic’s Mythos, OpenAI Has a New Cybersecurity Model—and Strategy Telegram Is Still Hosting a Sanctioned $21 Billion Crypto Scammer Black Market The FCC Has a Fast Lane for Complaints About Trump’s Media Critics Top iRestore Deals for Hair Growth and LED Therapy Devices Meta Is Warned That Facial Recognition Glasses Will Arm Sexual Predators You Should Be More Freaked Out by Shingles BYD’s Fastest-Charging Car in the World Is Astonishing—in Good and Bad Ways The 4 Best Water Filter Pitchers (2026): PFAS, Microplastics The Internet's Most Powerful Archiving Tool Is in Peril The Dumbest Hack of the Year Exposed a Very Real Problem AI Agents Are Coming for Your Dating Life ‘The Audacity’ Is the Broligarchy Takedown You Were Waiting For Why Is It So Hard to Fix an Electric Bike? (2026) Best 2-in-1 Laptops (2026): Microsoft, Lenovo, and the iPad There’s a Secret Ingredient to Making Luxury Ice at Home The Screen Time Legends Who Won't Put Down Their Phones Mammotion’s Spino E1 Is Affordable but Doesn’t Quite Deliver You Don’t Have to Drink Lukewarm Coffee Ever Again. Get a Warmer Zuvi ColorBox Review: Please Just Go to a Professional MacBook Neo vs. MacBook Air: Which One Should You Buy? Best Electric Cargo Bikes (2026): Urban Arrow, Lectric, Tern, and More ‘Crimson Desert’ Is a Cat Dad Simulator Your Push Notifications Aren’t Safe From the FBI Flight Path Data Shows How Mosquitoes Target Humans How the Internet Broke Everyone’s Bullshit Detectors The All-Clad Factory Seconds Sale Is Back—for Now (2026) Artemis II Astronauts Safely Return to Earth After Historic Flight Around the Moon Home Depot Spring Black Friday (2026): Best Tool and Grill Deals Motorola’s Souped-Up Folding Phone Is Almost Half Off Anthropic’s Mythos Will Force a Cybersecurity Reckoning—Just Not the One You Think The Future of the Artemis Program Is Riding on Reentry Suspect Arrested for Allegedly Throwing Molotov Cocktail at Sam Altman’s Home "Uncanny Valley": OpenAI and Musk Fight Again; DOJ Mishandles Voter Data; Artemis II Comes Home This Clever Bike Bell Can Even Be Heard by People Wearing Noise-Canceling Headphones This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts I Did Not Catch Air on the Aventon Current Electric Mountain Bike, but I Could Have Best Smart Shades, Blinds, and Curtains (2026): Motorized, Tailor-Made, and More How 'Democracy Now!' Became the Blueprint for Indie Media AI Podcasters Really Want to Tell You How to Keep a Man Happy Irrigreen's New Smart Irrigation System Promises Smart Watering Without the Hassle—Almost No One Knows Where US Vaccine Policy Goes Next I Tried Asus' First Open Earbuds for Gamers Meta’s New AI Asked for My Raw Health Data—and Gave Me Terrible Advice How and When to Watch the Artemis II Mission’s Return to Earth Naturepedic Promo Codes: Get 20% Off Plus Free Pillows Hungryroot Coupon Codes: 30% Off This April Govee Discount Codes and Deals: 30% Off We-Vibe Coupon Offers: Couples’ Toys and Gift Set Discounts Sealy Promo Code: Save $200 on Mattresses This Month OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters China Is Cracking Down on Scams. Just Not the Ones Hitting Americans The 70-Person AI Image Startup Taking on Silicon Valley's Giants Save $20 on This Already Inexpensive Wireless Mic Set John Deere Is Paying Farmers $99 Million for Allegedly Monopolizing Repair The Iran War Is Tearing MAGA Influencers Apart The FBI Didn’t Answer Texts From Minnesota Investigators for Days After Renee Good’s Killing The Pro-Iran Meme Machine Trolling Trump With AI Lego Cartoons Ridge Wallet Review: A Beacon for the Overencumbered How Meta Cafeteria Workers Took on ICE—and Won Get Peace of Mind With This GPS and Activity Tracker for Pets I Asked Netflix’s Reality TV Boss Why So Many Men On Dating Shows Are Terrible I Tried TCL’s Samsung Frame Competitor and It Didn’t Compare Politicians Are Spending More Money on Security as They Increasingly Become Targets This AI Wearable From Ex-Apple Engineers Looks Like an iPod Shuffle Artemis II Astronauts Witnessed 6 Meteorites Colliding With the Moon Medicube Coupon Code: 40% Off for April 2026 Top Instacart Promo Code: $15 Off for July 2026 Vivid Seats Promo Codes and Deals: Get 10% Off Birdfy Discount Codes: 15% Off Sitewide Google Workspace Promo Codes: 14% Off for June Paramount+ Coupon Codes and Deals for June 2026 NZXT Discount Codes: 50% Off in June 2026 LG Promo Codes and Coupons for June 2026 AT&T Promo Codes: $50 Off This June 2026 TurboTax Full Service Coupons This June Top Peacock Promo Codes: 40% Off June 2026 Therabody Promo Codes: 15% Off June 2026 Surfshark Promo Codes: 87% Off | June 2026 Nomad Goods Promo Codes: Get 25% Off in June 2026 20% Off Sephora Promo Code | June 2026 30% Off Canon Promo Codes | June 2026 Factor Promo Codes for July 2026 Top Dell Coupon Codes: 20% Off for June 2026 Walmart Promo Codes: Up to 65% Off for June 2026 What Is the Best Fitness Tracker in 2026? Garmin, Oura, More
AI Tools Are Helping Mediocre North Korean Hackers Steal Millions
Andy Greenbe · 2026-04-23 · via WIRED

The advent of AI hacking tools has raised fears of a near future in which anyone can use automated tools to dig up exploitable vulnerabilities in any piece of software, like a kind of digital intrusion superpower. Here in the present, however, AI seems to be playing a more mundane, if still concerning, role in hackers’ toolkit: It’s helping mediocre hackers level up and carry out broad, effective malware campaigns. That includes one group of relatively unskilled North Korean cybercriminals who’ve been discovered using AI to carry out virtually every part of an operation that hacked thousands of victims to steal their cryptocurrency.

On Wednesday, cybersecurity firm Expel revealed what it describes as a North Korean state-sponsored cybercrime operation that installed credential-stealing malware on more than 2,000 computers, specifically targeting the machines of developers working on small cryptocurrency launches, NFT creation, and Web3 projects. By using the AI tools of US-based companies, including those of OpenAI, Cursor, and Anima, the hacker group—which Expel calls HexagonalRodent—“vibe coded” almost every part of its intrusion campaign, from writing their malware to building the fake websites of companies used in its phishing schemes. That AI-enabled hacking allowed the group to steal as much as $12 million in cryptocurrency from victims in three months.

What’s most striking about the HexagonalRodent hacking campaign isn’t its sophistication, says Marcus Hutchins, the security researcher who discovered the group, but rather how AI tools allowed an apparently unsophisticated group to carry out a profitable theft spree in the service of the North Korean state.

“These operators don't have the skills to write code. They don't have the skills to set up infrastructure. AI is actually enabling them to do things that they otherwise just would not be able to do,” says Hutchins, who became well-known in the cybersecurity community after disabling the WannaCry ransomware worm created by North Korean hackers.

Emoji-Littered, AI-Written Code

HexagonalRodent’s hacking operation focused on tricking crypto developers with fraudulent job offers at tech firms, going so far as to create full websites for the fake companies recruiting the victims, often created with AI web design tools. Eventually, the victim was told they’d have to download and complete a coding assignment as a test—which the hackers had infected with malware that infiltrated their machine and stole credentials, including those that in some cases could grant access to the keys that controlled their crypto wallets.

Those parts of the hacking operation appear to have been well-honed and effective, but the hackers were also clumsy enough to leave parts of their own infrastructure unsecured, leaking the prompts they used to write their malware with tools that included OpenAI’s ChatGPT and Cursor. They also exposed a database where they tracked victim wallets, which allowed Expel to estimate the total amount of cryptocurrency the hackers may have stolen. (While those wallets added up to $12 million in total contents, Hutchins says the company couldn’t confirm for each target whether the entire sum had already been drained from the wallets or if the hackers still needed to obtain keys to the victim wallets in some cases, given some may have been protected with hardware security tokens.)

Hutchins also analyzed samples of the hackers’ malware and found other clues that it was largely—perhaps entirely—created with AI. It was thoroughly annotated with comments throughout—in English—hardly the typical coding habits of North Koreans, despite the fact that some command-and-control servers for the malware tied them to known North Korean hacking operations. The malware’s code was also littered with emojis, which Hutchins points out can, in some cases, serve as a clue that software was written by a large language model, given that programmers writing on a PC keyboard rather than a phone rarely take the time to insert emojis. “It's a pretty well-documented sign of AI-written code,” Hutchins says.

The AI-written code Hutchins analyzed ought to have been detectable with typical “end point detection and response” security tools used in most companies and government agencies, Hutchins says, given that it followed standard patterns of behavior for malware. But Hutchins says HexagonalRodent’s decision to focus on individual victims in its hacking campaign meant many didn’t have those security tools installed. “They found a niche where you actually can get away with completely AI-generated malware,” says Hutchins.

Hutchins argues that the HexagonalRodent campaign shows how AI may be an especially useful tool for North Korea, which can easily recruit unskilled IT workers to join its hacker ranks—or more commonly, to infiltrate tech companies while posing as citizens of other countries—but has a far more limited number of capable hackers, given the average North Korean’s lack of access to the internet or even computers. “They have hundreds of people being sent over the border to work in IT operations, and only a few of them really know what they're doing,” Hutchins says. “But then they're able to use generative AI to get a leg up and actually run fairly successful hacking campaigns.”

In fact, rather than reduce the number of people involved in the hacking campaign through automation, Hutchins says he’s been able to observe North Korean operations grow in size over time. Expel estimates that as many as 31 individual hackers were involved in HexagonalRodent. “They just keep adding more and more operators,” Hutchins says. “Because they can just hand them access to an AI model, and they can now do things which they would have previously needed a development team to support.”

A Hermit Kingdom, Embracing AI

The HexagonalRodent activity observed by Hutchins makes up only a small part of North Korea’s sweeping hacking and cybercriminal activity, which can involve vast cryptocurrency theft, ransomware, espionage, fraud, and infiltrating Western organizations through its IT worker schemes. Security researchers have likened North Korea's cyber operations to functioning like a “state-sanctioned crime syndicate,” which ultimately works to fund the nation’s nuclear weaponry, build the country’s infrastructure, and evade international sanctions.

Increasingly, and perhaps unsurprisingly, these state-backed programs have been adding generative AI to their hacking and fraud workflows to improve their overall efficiency. Within North Korea, these efforts have reportedly been supported by the creation of Research Center 227, an organization sitting under the military’s Reconnaissance General Bureau that will partly focus on developing AI-focussed hacking tooling. But day-to-day, North Korea’s cyber operators have repeatedly been caught using commercial, off-the-shelf AI tools.

“North Korea is using AI as a force multiplier, and it is helping with every aspect—building resumes, building websites, building exploits, testing vulnerabilities—and they're doing it at speed and scale,” says Michael “Barni” Barnhart, a researcher at security firm DTEX, who has tracked the country’s hacking operations for years. North Korean cyber operators have been experimenting and widely using AI for multiple years, Barnhart says. “AI is helping them move faster so that they can weaponize exploits and even help build those exploits,” he explains. “You get little pieces of the puzzle from each of the groups, and then it kind of forms a whole picture of how they're using AI.”

For instance, members of North Korea’s IT worker programs have been using AI assistants and face-changing deepfakes to answer questions and change their appearance during fraudulent job interviews. Security researchers at Microsoft have spotted suspected North Korean operations using AI to create false IDs, research work tools, polish their English for social engineering, and research known security vulnerabilities. Some North Korea actors have also used the technology to create web infrastructure at scale, making their operations harder to detect, according to Microsoft’s research.

Both OpenAI and Anthropic have also spotted North Korean cyber operators using their platforms over the last 12 months. In February last year, OpenAI said it had banned suspected North Korean accounts that it detected using ChatGPT at multiple stages of fraudulent IT worker schemes, including during interviews to generate answers to technical questions and for writing code once someone had gained employment at a company.

Meanwhile, Anthropic said in its August threat intelligence report that it had seen North Korean IT workers who “appear unable to perform basic technical tasks or professional communication without AI assistance.” The company also said it detected North Korean hackers intending to use Claude to “enhance” some of the same malware strains Expel found in use, and to develop skills tests containing malware. But Anthropic wrote in its own report that it detected the malicious use of Claude and banned the hackers from using its tools.

OpenAI tells WIRED that its tools did not give the hackers any “novel capabilities,” but acknowledging that the “value” of its tools to the hackers “appears to be speed and scale.” OpenAI did not say if it had banned any accounts in relation to Expel’s findings. Cursor tells WIRED that it had blocked the HexagonalRodent hackers from using its tools, adding that the company is “investigating further and [is] in communication with other model providers on the incident."

Anima, one of the AI web design firms whose tools were used in the hacking campaign, tells WIRED that it was working with Expel to identify and block the hackers from using its software. “This is misuse of Anima’s coding agent by bad actors, and we’re addressing it head-on,” the company’s CEO, Avishay Cohen, wrote.

Hutchins argues that it’s this practical use of AI for enabling hacking operations that should be the cybersecurity’s industry’s focus, not the notion of some future vulnerability discovery AI.

“We're thinking we need to build defenses for the hypothetical Skynet that’s going to blast through all of our networks,” says Hutchins. “Meanwhile, you have a nation-state threat who is able to spin up their operations using AI without doing anything novel. There is real threat activity happening as a result of AI. But it's not the stuff that people are wasting their breath on.”