Inside “HexagonalRodent”: The AI-Powered DPRK Syndicate Hauling Millions in Crypto

The digital asset landscape is under siege by a highly active, North Korean-linked threat group that has successfully siphoned millions in cryptocurrency in just the first quarter of 2026. Security researchers at Expel have unveiled a detailed expose on Expel-TA-0001, colloquially dubbed HexagonalRodent. This group, assessed with high confidence to be state-sponsored, has evolved from fraudulent IT workers into a prolific malware-driven enterprise targeting Web3 developers.

Between January and March 2026, HexagonalRodent exfiltrated data from over 26,500 cryptocurrency wallets, with a total potential value reaching $12 million.

HexagonalRodent’s primary tactic is a sophisticated twist on the “fake job offer.” Exploiting recent industry layoffs, the group poses as tech recruiters on platforms like LinkedIn to lure developers with high-paying tech roles.

Once a target is hooked, they are asked to complete a “take-home coding assessment”. These projects are backdoored with malware toolkits known as BeaverTail, OtterCookie, and InvisibleFerret. One particularly clever technique involves abusing the tasks.json file in VSCode:

“The threat actors abuse this by shipping their own tasks.json with a malicious runOn:’folderOpen’ command configured. This causes VSCode to execute malware simply as a result of the target opening the source code folder with VSCode”.

HexagonalRodent is an early adopter of Generative AI, utilizing tools like ChatGPT and Cursor to refine their code and build elaborate front companies. Researchers identified AI-generated code by its telltale “vibe”: verbose, formal English comments and the unusual presence of emojis.

Beyond coding, AI is used to create “fake C-suites” for front companies like AI Health Chains, complete with AI-generated headshots and websites built using AI design platforms.

Researchers reverse-engineered several of the group’s web-based panels, discovering what appears to be an internal workforce tracker rather than a traditional C2. This panel allows “team leaders” to monitor the daily performance of individual operators.

Based on leaked database records, HexagonalRodent appears to be a well-oiled machine:

• Internal Structure: Composed of approximately 31 operators.
• Hierarchy: Split across 6 unique teams (e.g., 6team, 7team, 101team).
• Focus: Individual systems and crypto wallets, rather than lateral movement within corporate networks.

Telemetry data shows a consistent flow of digital assets into the group’s system:

• January: $6.3 million.
• February: $1.5 million.
• March: $4.2 million.

While the use of hardware security tokens by some victims likely limited the actual losses, at least $1.1 million has been confirmed to reach a known DPRK-operated Ethereum address.