Home > National > North Korea

North Korean hackers stole $12 million in crypto in Q1, U.S. media reports

Published: 24 Apr. 2026, 18:29

A projection of cyber code on a hooded man is pictured in this illustration picture taken on May 13, 2017. [REUTERS/YONHAP]

North Korean regime-affiliated hacking groups were found to have stolen more than $12 million in cryptocurrency in this year’s first quarter, according to a news report from Voice of America (VOA) on Friday.

The hackers lured Web3 developers via email with tempting job offers under a fake corporate profile on LinkedIn and used generative AI to fine-tune their malicious hacking code, the U.S.-based cybersecurity firm Expel said on Wednesday. The corporate report was cited by the U.S. government-funded media two days later.

The U.S. cybersecurity firm said that the regime-affiliated hacking group, dubbed “HexagonalRodent,” is linked to the state-sponsored group “Famous Chollima.”

HexagonalRodent exploited malware codes, such as Beavertail, OtterCookie and InvisibleFerret, and successfully siphoned 26,584 cryptocurrency wallets from 2,726 infected developers’ systems. According to the report, the regime has now expanded its extortion to individuals to fund its crypto theft.

“Once the threat actors have lured in a developer with a fake job offer, they then request that the developer undergo a coding skills assessment [...] that the developer must debug, add features to, or audit, and turn in for review at a later date,” Expel said. The cyber firm assessed that features added for their job screening had malware codes planted, being “subtly backdoored.”

According to Expel, HexagonalRodent comprises 31 operators divided into six teams, with members conducting independent cyberattacks. The cyber firm noted that it had accessed the regime-linked hackers’ group’s backend database due to a misconfiguration in the group’s system.

Expel noted that North’s original infiltration scheme, targeting information technology (IT) companies, might have been disrupted by mass layoffs in the IT industry over the last four years, forcing the regime to take a different path to steal crypto assets.

“The latest North Korea’s strategic expansion in its cryptocurrency theft operations, which now goes beyond large-scale attacks on major exchanges to individual developers for the gains of smaller sums,” the VOA said in the report.

North Korean men and women use computer terminals at the Sci-Tech Complex in Pyongyang, North Korea. [AP PHOTO/YONHAP]

Pyongyang has increasingly been resorting to cybercrime to fund its weapon developments due to tightening international sanctions targeting its nuclear and missile programs.

U.S. Director of National Intelligence Tulsi Gabbard said North Korea’s cyber program is “sophisticated and agile” during her opening remarks at a Senate Select Committee on Intelligence hearing in Washington on March 18.

“In 2025 alone, North Korea's cryptocurrency heist probably stole $2 billion, which the IC assesses is helping to fund the regime and includes further development of its strategic weapons programs,” Gabbard said. The IC refers to the U.S. Intelligence Community.

Separately, a spokesperson for the U.S. Department of State criticized China for its continuing violations of UN sanctions against North Korea in their comments on Friday.

The UN Security Council Resolution 2397 mandates that member states repatriate all North Korean nationals earning income to their home country by December 2019 and prohibits the issuance of employment licenses.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY CHUNG YEONG-GYO [[email protected]]