AI Tools Are Helping Mediocre North Korean Hackers Steal Millions

April 22, 2026

```json { "title": "How AI Is Supercharging North Korean Crypto Hackers", "metaDescription": "North Korean hacker groups are using AI tools to steal billions in crypto. Here's what the latest threat intelligence reveals about their evolving tactics.", "content": "<h2>North Korean Hackers Are Using AI to Steal Billions in Cryptocurrency</h2>\n\nNorth Korean state-sponsored hacking groups have fully integrated artificial intelligence tools into their cyberattack operations — using AI to generate fake employee photos, write malware code, create deepfake videos, and manage networks of fraudulent IT workers. The result is an industrialized financial pipeline that, according to blockchain intelligence firm Chainalysis, yielded $2.02 billion in stolen cryptocurrency in 2025 alone — a 51% increase year-over-year and the most severe year of DPRK crypto theft on record.\n\nFrom legally registered front companies on U.S. soil to a hijacked open-source JavaScript library downloaded tens of millions of times per week, the breadth and sophistication of North Korea's AI-assisted hacking ecosystem has escalated sharply. Multiple threat intelligence firms, the FBI, and the U.S. Department of Justice have all taken action in recent months — yet the operations keep coming.\n\n<h2>Fake Companies, AI-Generated Faces, and Malware Delivered via Job Interviews</h2>\n\nIn April 2025, threat intelligence firm Silent Push documented one of the more brazen examples of North Korea's evolving playbook. The North Korean APT group Contagious Interview — a subgroup of the Lazarus Group, also tracked as Famous Chollima — created three fake cryptocurrency consulting companies: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. These weren't just shell identities. BlockNovas and SoftGlide were legally registered corporate entities in the United States.\n\nThe fake companies posted job listings on legitimate platforms including CryptoJobsList, CryptoTask, Freelancer, and Upwork. When cryptocurrency job seekers applied and entered the interview process, they were served malware disguised as part of the hiring workflow. To populate the fake companies with convincing employee profiles, the group used Remaker AI — an AI-powered image generation tool — to create fabricated profile photos. At least one image was confirmed to be impersonating a real person.\n\nKasey Best, director of threat intelligence at Silent Push, described the operation's significance: "This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the US in order to create corporate fronts used to attack unsuspecting job applicants."\n\nZach Edwards, senior threat analyst at Silent Push, added: "There are numerous fake employees and stolen images from real people being used across this network."\n\nThe FBI seized the BlockNovas domain on April 23, 2025, as part of a law enforcement action against North Korean cyber actors. But the campaign illustrated a new level of operational commitment: AI tools weren't just a convenience — they were load-bearing infrastructure for the entire deception.\n\n<h2>Deepfakes, Dormant Implants, and a Supply Chain Attack on Axios</h2>\n\nContagious Interview is far from the only North Korean group deploying AI offensively. The threat actor UNC1069 — also tracked as CryptoCore and MASAN — has been documented using Google's Gemini AI to develop code designed to steal cryptocurrency. UNC1069 has also deployed deepfake images and video lures to distribute a backdoor called BIGMACHO, disguised as a Zoom SDK.\n\nAccording to Google Mandiant researchers Ross Inman and Adrian Hernandez, one documented UNC1069 intrusion relied on "a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim." That single intrusion resulted in the deployment of as many as seven unique malware families, including SILENCELIFT, DEEPBREATH, and CHROMEPUSH.\n\nThe Security Alliance (SEAL) reported in April 2026 that it had blocked 164 UNC1069-linked domains impersonating services like Microsoft Teams and Zoom in just a two-month window between February 6 and April 7, 2026. SEAL's published report also noted a deliberate patience in the group's operations: "Operators deliberately do not act immediately following initial access. The implant is left dormant or passive for a period following compromise."\n\nPerhaps the most alarming recent development was a March 2026 supply chain attack targeting the widely-used JavaScript library Axios — a package downloaded tens of millions of times every week. Google attributed the attack to UNC1069. John Hultquist, chief analyst for Google's Threat Intelligence Group, stated plainly: "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069."\n\nStepSecurity described the Axios attack as "among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package," according to TechCrunch and Nextgov. The malware deployed a cross-platform remote access trojan that connected to a command-and-control server before wiping its own tracks. Security researcher John Hammond at Huntress identified approximately 135 compromised devices belonging to roughly 12 companies in the aftermath.\n\nCharles Carmakal, Mandiant's chief technology officer, warned of the likely follow-on intent: "We anticipate they will try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises."\n\n<h2>AI-Assisted Malware Code and the Fraudulent IT Worker Pipeline</h2>\n\nNorth Korea's AI integration extends beyond attack delivery. In January 2026, North Korean hackers were observed targeting developers via malicious VS Code projects. Jaron Bradley, director of Jamf Threat Labs, noted a telling technical detail about the payload: "It's worth noting that the payload we observed for macOS was written purely in JavaScript and had many signs of being AI assisted."\n\nMeanwhile, a parallel scheme — the so-called "Wagemole" or fraudulent IT worker operation — has been running at industrial scale. North Korean nationals infiltrate Western technology and cryptocurrency companies as remote workers, using AI-generated synthetic identities, deepfake tools, and GenAI-powered job application services. According to Okta, as cited by The Hacker News, "Facilitators are now using GenAI-based tools to optimize every step in the process of applying and interviewing for roles and to aid DPRK nationals attempting to maintain this employment," including managing scheduling of job interviews with multiple simultaneous DPRK candidate personas.\n\nIn April 2026, one such IT worker accidentally detonated infostealer malware on their own computer — exposing an internal payment server containing 390 accounts, chat logs, and crypto transactions. The leak, reported by Cybernews, revealed a scheme generating approximately $1 million per month. According to blockchain investigator ZachXBT's analysis, a single payment wallet address had received more than $3.5 million in funds since late November 2025.\n\nThe U.S. Department of Justice has also taken action. In March 2026, three men — Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis — were sentenced for their roles in furthering North Korea's fraudulent IT worker scheme. Travis received one year in prison and was ordered to forfeit $193,265.\n\n<h2>The Scale of the Problem: $6.75 Billion and Counting</h2>\n\nThe financial stakes are staggering. Chainalysis's Crypto Crime Report found that North Korea-linked hackers stole $2.02 billion in cryptocurrency in 2025, accounting for a record 76% of all cryptocurrency service-level compromises globally that year. As Chainalysis stated in its report: "This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises."\n\nThe single largest theft was the February 2025 Bybit exchange hack, which alone accounted for $1.5 billion of that total and has been attributed to the threat cluster TraderTraitor, also known as Jade Sleet and Slow Pisces. Cumulatively, the lower-bound estimate of total cryptocurrency stolen by the DPRK through 2025 stands at $6.75 billion, according to Chainalysis.\n\nThese aren't just cybersecurity statistics. A March 2024 UN Security Council sanctions committee report found that North Korea's malicious cyberactivities generate approximately 50% of its foreign currency income and fund an estimated 40% of its weapons of mass destruction programs. The crypto theft pipeline is, in effect, a weapons financing mechanism.\n\nBen Read, director of strategic threat intelligence at security firm Wiz, offered context for why North Korea continues to operate so aggressively and visibly: "North Korea isn't worried about its reputation or being eventually identified, so while these types of operations are very noisy and high profile, that's a price they're willing to pay."\n\n<h2>What Comes Next</h2>\n\nThe documented trajectory points in one direction: North Korean threat actors are integrating AI tools more deeply across every phase of their operations, and the results are measurable in billions of dollars. With Mandiant warning that credentials obtained in the Axios supply chain attack may be used to target cryptocurrency enterprises, the immediate risk window remains open.\n\nFor cryptocurrency firms, developer teams, and any organization that relies on open-source packages or remote technical contractors, the threat landscape has materially changed. AI has lowered the skill floor required to execute convincing social engineering, generate passable malware, and maintain elaborate fake identities at scale. Operations that might once have required seasoned operatives can now be scaffolded, at least in part, with widely available AI tooling.\n\nDomain blocking, as demonstrated by SEAL's takedown of 164 UNC1069-linked domains in two months, remains an active countermeasure. Law enforcement actions by the FBI and DOJ have demonstrated that front companies and facilitators operating in the U.S. are not untouchable. But the cumulative $6.75 billion figure, combined with year-over-year growth in theft volumes, makes clear that containment has not yet outpaced the threat.\n\nFor more tech news, visit our <a href=\"/news\">news section</a>.\n\n<h2>Staying Informed Is a Security Practice</h2>\n\nUnderstanding the evolving AI threat landscape isn't just for security professionals — it's increasingly relevant to anyone who manages digital assets, works remotely, or makes decisions about the tools and contractors their organization relies on. At Moccet, we believe that staying informed is itself a productivity and safety habit. When the tools of deception evolve this fast, situational awareness is a competitive advantage. <a href=\"/#waitlist\">Join the Moccet waitlist to stay ahead of the curve.</a>", "excerpt": "North Korean hacker groups are using AI tools — from deepfake video to AI-generated malware code — to steal cryptocurrency at record scale. Chainalysis confirmed $2.02 billion stolen in 2025 alone, a 51% year-over-year increase, with attacks spanning fake U.S. front companies, a hijacked JavaScript library used by millions, and a fraudulent IT worker operation generating roughly $1 million per month. Multiple U.S. agencies, threat intelligence firms, and blockchain investigators have documented the escalating campaign.", "keywords": ["North Korean hackers AI", "DPRK cryptocurrency theft", "UNC1069 malware", "Contagious Interview Lazarus Group", "AI-assisted cyberattacks"], "slug": "north-korean-hackers-ai-cryptocurrency-theft" } ```

← Back to Tech News

More Tech News

Google Cloud launches two new AI chips to compete with Nvidia

OpenAI launches Privacy Filter, an open source, on-device data sanitization model that removes personal information from enterprise datasets

Google unveils two new TPUs designed for the "agentic era"