The Industrialization of Web3 Theft: How HexagonalRodent Leverages AI and Social Engineering to Loot Developers

In a sophisticated evolution of North Korean cyber operations, a threat actor group known as HexagonalRodent is systematically targeting the Web3 ecosystem. By blending high-touch social engineering with AI-augmented malware development, this group is successfully exfiltrating millions of dollars in cryptocurrency from developers worldwide.

Security researchers at Expel assess with high confidence that HexagonalRodent is a DPRK state-sponsored subgroup. The group appears to represent an evolutionary bridge: transitioning from fraudulent IT worker operations—designed to bypass international sanctions—into a dedicated, malware-driven theft unit.

The scale of the operation is staggering. In a mere three-month window, the group compromised 2,726 developer systems, exfiltrating data from 26,584 cryptocurrency wallets. While hardware security tokens served as a critical barrier to total loss, the group put up to $12 million in digital assets at risk.

Despite their specific focus on asset theft, the group’s technical DNA remains deeply linked to the broader Lazarus Group ecosystem. Their infrastructure, toolsets, and adversary tradecraft (TTPs) mirror other established APTs like Famous Chollima.

The HexagonalRodent toolkit primarily revolves around three specialized malware families:

  • BeaverTail & OtterCookie: NodeJS-based multipurpose toolkits designed for credential harvesting, sensitive file access, and maintaining reverse shells.
  • InvisibleFerret: A Python-based reverse shell used for persistent remote access.

The “Take-Home Test” Trap: Exploiting Developer Workflows

HexagonalRodent bypasses traditional perimeter defenses by targeting the human element. Their primary infection vector is a highly convincing social engineering campaign. Recruiters pose as high-end talent hunters on LinkedIn and specialized crypto job boards, offering lucrative positions to Web3 developers.

The “hook” is the technical assessment. Candidates are sent “take-home” coding challenges hosted on Git platforms or delivered as compressed archives. While these appear to be legitimate skills tests, they are pre-loaded with sophisticated backdoors.

One particularly insidious technique involves the abuse of VS Code configuration files. By manipulating the tasks.json file with the "runOn": "folderOpen" property, the attackers ensure that the malicious payload executes automatically the moment a developer opens the project repository. For those utilizing alternative editors, the group embeds secondary backdoors directly into the source code, which trigger during the build or execution phase.

Once the initial foothold is established, the malware initiates a connection to a NodeJS-based command-and-control (C2) infrastructure, granting the attackers full remote control over the endpoint to harvest seed phrases and browser-saved credentials.

Unlike specialized units such as Stardust Chollima, which typically aim for high-value penetration of exchanges, HexagonalRodent prioritizes “volume over precision.” They focus on the individual developer, targeting the endpoints where private keys and sensitive environment variables live.

This strategy even extended into the supply chain. In early 2026, the group compromised the “fast-draft” extension within the Open VSX ecosystem, using it as a distribution vehicle for the OtterCookie malware. Telemetry linked the extension’s C2 server (195.201.104[.]53) directly to known HexagonalRodent infrastructure.

A small snippet of the malware loader showing the verbose comments and emoji use (Source : Expel).
A snippet of the malware loader, notable for its use of verbose comments and emojis, a sign of the group’s move toward more customized, “humanized” code. (Source : Expel)

Generative AI: The New Force Multiplier

The most alarming aspect of HexagonalRodent’s campaign is the integration of Generative AI into their operational lifecycle. They are not just using AI to write code; they are using it to industrialize the entire deception process.

AI is currently being leveraged to:

  • Polish Phishing Lures: Ensuring recruitment communications are linguistically perfect and culturally resonant.
  • Construct Fake Digital Identities: Using AI to generate convincing company websites and LinkedIn profiles, including entire fake C-suite hierarchies.
  • Automate Code Obfuscation: The group has been observed prompting commercial AI models to “audit” their backdoored code, essentially using AI to identify and fix vulnerabilities that might allow a developer to detect the malware.
The homepage of AI Health Chains, which features an AI-generated video of lab workers as the website background (Source : Expel).
The homepage of a fraudulent entity, “AI Health Chains,” utilizing AI-generated video backgrounds to establish a veneer of legitimacy. (Source : Expel)

While vendors like OpenAI and Anthropic have successfully blocked several related accounts, the threat persists. A 2025 Anthropic report noted attempts by DPRK-linked actors to register Claude accounts to refine their malware toolsets, highlighting a continuous arms race between AI providers and state-sponsored developers.

A “Corporate” Approach to Cybercrime

By reverse-engineering the group’s ReactJS-based C2 and management panels, researchers have uncovered a highly structured, almost corporate organizational model. The attackers do not just operate in silos; they operate in “teams.”

The C2 infrastructure includes a browser-based remote control utility that provides VNC-like capabilities, allowing attackers to view screens and manipulate mice/keyboards in real-time. More uniquely, the group utilizes a workflow dashboard designed to track “performance.”

The remote control panel, presenting a stock image of a desktop for illustrative purposes (Source : Expel).
The remote control panel used by operators to manage compromised endpoints. (Source : Expel)

This dashboard functions similarly to a workforce tracker, ranking various units (such as “6team” or “101team”) based on their “wallet haul.” This mirrors broader reporting on how the DPRK utilizes performance-based metrics for its fraudulent IT worker programs. Hardcoded identifiers in the malware allow these teams to group stolen assets by system hostname and team ID, streamlining the laundering process.

The Bottom Line: The HexagonalRodent campaign serves as a warning to the Web3 community. Even relatively “noisy” or unsophisticated malware can cause catastrophic damage when it is industrialized through automation, polished by AI, and delivered via high-fidelity social engineering.

WHb wvHc SfjOTbBPLQigqd XQPnIuI

Related Articles

Back to top button