HexagonalRodent: DPRK AI-Powered Crypto Theft Campaign Using LinkedIn Lures to Target Web3 Develop
Contents
HexagonalRodent is a financially motivated, state-sponsored advanced persistent threat group attributed by Expel to North Korea's Democratic People's Republic of Korea (DPRK), overlapping with the cluster tracked by CrowdStrike as Famous Chollima and by other vendors as Contagious Interview. FalconFeeds.io assesses with HIGH confidence that HexagonalRodent is an operational sub-unit of the broader Lazarus Group constellation, specifically the TraderTraitor wing responsible for systematic crypto asset theft through developer targeting.
In Q1 2026 (January through March), HexagonalRodent stole approximately $12 million USD in cryptocurrency from 26,584 digital wallets resident on 2,726 compromised systems. The campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.
The Expel incident response investigation, led by researcher Marcus Hutchins, obtained access …
In Q1 2026 (January through March), HexagonalRodent stole approximately $12 million USD in cryptocurrency from 26,584 digital wallets resident on 2,726 compromised systems. The campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.
The Expel incident response investigation, led by researcher Marcus Hutchins, obtained access …