How Hackers Are Using AI Tools to Steal Millions

In today’s rapidly evolving digital landscape, fears surrounding AI have moved well beyond sci-fi tropes about sentient systems taking over the world. Instead, the immediate threat lies in how these tools are being leveraged to empower mediocre hackers, effectively bridging the skill gap for state-sponsored cybercrime syndicates. Cybersecurity firm Expel recently uncovered a campaign by a North Korean-linked group known as HexagonalRodent, which has successfully utilized AI to steal as much as $12 million in cryptocurrency over just three months. The group has been using readily available AI tools, including those from OpenAI, Cursor, and Anima, to handle every facet of their operation—from writing malware to constructing sophisticated fake websites. According to security researcher Marcus Hutchins, who famously helped neutralize the WannaCry ransomware, the most striking aspect of this campaign is not its sophistication, but rather how AI has enabled unskilled operators to carry out profitable theft at scale. "These operators don't have the skills to write code. They don't have the skills to set up infrastructure. AI is actually enabling them to do things that they otherwise just would not be able to do," Hutchins noted. HexagonalRodent’s strategy primarily targets developers in the cryptocurrency and Web3 space. The attackers lure victims with fraudulent job offers, eventually prompting them to download and complete 'coding assignments' that are actually infected with credential-stealing malware. Once the malware is on the victim's machine, it can harvest sensitive data, including keys that control crypto wallets. The operation is highly effective, though the hackers have occasionally been sloppy, leaving behind exposed infrastructure that allowed researchers to trace their activities. One of the most telling clues that this malware was AI-generated is the presence of extensive English comments and emojis throughout the code. As Hutchins points out, human programmers—especially those in North Korea who aren't typically native English speakers—rarely take the time to annotate their code with emojis. This, combined with the standard behavioral patterns of the malware, makes it a hallmark of AI-assisted development. While these patterns should technically be flagged by standard endpoint security tools, the hackers have found a 'niche' by targeting individuals rather than large organizations that might have more robust defenses. For North Korea, AI serves as a 'force multiplier.' Instead of needing a team of elite developers for every operation, the state can deploy a large number of lower-skilled workers who use generative AI to perform tasks that would otherwise require deep technical expertise. Expel estimates that as many as 31 individual hackers were involved in the HexagonalRodent campaign, a sign that the nation is scaling up its cyber operations. Companies like OpenAI, Anthropic, and Cursor have all confirmed they are actively working to identify and ban these malicious actors from their platforms. Ultimately, Hutchins argues that the industry needs to shift its focus. Rather than obsessing over the hypothetical threat of an AI that might one day discover world-ending vulnerabilities, the cybersecurity community should focus on the very real, practical ways that AI is being used today to facilitate cybercrime. These state-sponsored groups are not doing anything novel; they are simply using AI to do existing tasks faster and at a scale that was previously impossible, making AI the most significant tool in the modern hacker’s arsenal.