A North Korean Crypto Theft Campaign Laid Bare
Incident responders at cybersecurity firm Expel have published detailed findings on a sophisticated North Korean hacking campaign that netted more than $12 million in stolen cryptocurrency during the first three months of 2026. Marcus Hutchins of Expel authored the report, naming the operation HexagonalRodent and linking it to North Korean state-backed actors tracked under the designation Famous Chollima.
The campaign targeted web developers through deceptive job offers and weaponized software downloads, ultimately compromising 2,726 infected systems and extracting funds from 26,584 cryptocurrency wallets.
How the Investigation Began
Expel's inquiry into HexagonalRodent started in October when researchers were examining a BeaverTail malware infection on a customer's network. That initial case opened a thread that led investigators to infrastructure controlled by the threat actors, giving them a rare inside look at how the operation was organized and run.
Both BeaverTail and another tool, InvisibleFerret, had previously been attributed to North Korean hackers by other incident response firms. A third malware strain discovered during the investigation, OtterCookie, rounds out the trio of tools the group deployed to harvest credentials and drain digital assets.
The Malware Arsenal
The three malware strains served distinct but complementary purposes within the campaign:
- BeaverTail — used to exfiltrate credentials from password managers, the macOS Keychain, and other credential stores.
- InvisibleFerret — a previously documented North Korean tool redeployed in this campaign.
- OtterCookie — an additional strain identified during the Expel investigation.
Expel researchers were able to access an internal panel the group used to track metrics associated with BeaverTail infections, providing concrete visibility into the campaign's scale and internal logistics.
Fake Companies, Fake Jobs, and AI-Assisted Deception
The attack vector relied heavily on social engineering. Threat actors posed as legitimate employers on LinkedIn, reaching out to Web3 developers with enticing, high-paying job offers. In one notable example, the hackers went as far as registering a fake company in Mexico to add credibility to their recruitment pitch.
Once a developer expressed interest, they were directed to download a coding assessment tool — one that was laced with malware. Hutchins noted that the threat actors used generative AI not only to refine their malware code but also to construct convincing fake company profiles and LinkedIn accounts capable of passing casual scrutiny.
Internal Structure: 31 Hackers, Six Teams
Internal documents uncovered during the investigation revealed that HexagonalRodent is not a loosely organized collective but a structured operation. The campaign is divided among 31 hackers operating across six distinct teams. There is also evidence suggesting that former members of HexagonalRodent have broken away to establish their own independent operations, pointing to a broader ecosystem of related activity.
The Broader Context: Small Thefts, Big Strategy
While North Korea has made international headlines for massive exchange-level heists, the HexagonalRodent campaign reflects a parallel strategy: systematically siphoning relatively modest amounts from individual users at scale. Hutchins drew a direct line between current economic conditions and the campaign's effectiveness.
"For the past four years, the tech industry has been flooded with mass-layoff after mass-layoff. This has likely heavily impacted DPRK's fraudulent IT worker scheme, forcing them to reallocate resources towards other means of generating revenue," Hutchins said. "With so many software engineers out of work, and so few job opportunities available, it makes it all the more easier for North Korean state-sponsored hackers to ensnare targets. With developers applying to hundreds or thousands of jobs without receiving a call back, they're likely to have their guard down when that one job offer finally comes in."
The Expel report arrived just days after North Korea's government was accused of orchestrating two separate cryptocurrency heists, each yielding more than $280 million per platform. Taken together, these incidents paint a picture of a multi-pronged national effort to generate revenue through digital asset theft.
A Pattern Confirmed by Multiple Firms
The findings from Expel are not isolated. The broader cybersecurity community has been raising alarms about dedicated North Korean units focused on developer-targeted malware campaigns. In the same week the Expel report surfaced, Microsoft disclosed a separate North Korean campaign targeting macOS users with tools designed to steal cryptocurrency and harvest credentials. Another firm identified a Pyongyang-linked operation involving fake virtual meetings, which also targeted macOS systems.
Taken collectively, these disclosures underscore that North Korea's approach to cryptocurrency theft is both diverse and evolving — combining high-value exchange attacks with targeted campaigns against individual developers, all supported by AI-assisted deception and purpose-built malware.
Key Takeaways for Developers
- Be highly skeptical of unsolicited job offers arriving through LinkedIn, especially those promising high compensation for Web3 or blockchain-related roles.
- Avoid downloading coding assessments, SDKs, or tools provided by unverified employers before independently confirming the company's legitimacy.
- Recognize that fake companies may have convincing online presences, including registered business entities, as demonstrated by the Mexico registration in this campaign.
- Credential stores — including macOS Keychain and third-party password managers — are active targets for the malware strains used in this campaign.
Source: The Record