North Korea's AI-Powered War on Developers

How state-backed hackers are using fake job interviews, backdoored coding tests, and artificial intelligence to systematically target software developers and fund a nuclear weapons program

When a developer receives a LinkedIn message from a recruiter offering a well-paid remote role at a promising Web3 startup, most will not immediately think of North Korea. That gap between expectation and reality is precisely what Pyongyang is counting on.

For years, North Korean state-backed hacking groups have run one of the most sustained and financially successful cybercrime operations in history, targeting not banks or governments but individual software developers. The method is low-tech in its entry point (a job offer, a coding test, a helpful webcam fix) and devastating in its outcome. Developers who fall for it lose cryptocurrency wallets, SSH keys, API tokens, and cloud credentials. The attackers funnel those proceeds back to Pyongyang to fund ballistic missile and nuclear programs under active international sanctions.

In 2026, this operation has reached a new level of sophistication. Artificial intelligence tools are now embedded across the entire attack chain, from generating convincing recruitment personas to debugging the malware used to drain victims. The result is a campaign that is faster, harder to detect, and more profitable than anything North Korea has run before.

Who Is Behind It

The operations described in this article are linked to several overlapping North Korean hacking groups operating under the umbrella of the Lazarus Group, the state-sponsored cyber unit attributed to North Korea's Reconnaissance General Bureau.

The most recently documented subgroup is tracked by security firm Expel as HexagonalRodent, assessed with medium-high confidence as a subset of Famous Chollima. Unlike other Lazarus-affiliated units that target large cryptocurrency exchanges in single high-value operations, HexagonalRodent runs high-volume attacks against individual developers. Its focus is volume: compromise as many developer workstations as possible, steal every credential and wallet available, and move on.

Separately, the groups known as TraderTraitor and Citrine Sleet are responsible for the largest heists. These units execute fewer but larger operations, relying on months of patient social engineering and technical reconnaissance before a precisely timed theft. The Drift Protocol attack in April 2026, which drained $285 million in roughly twelve minutes, involved DPRK proxies conducting in-person meetings with Drift employees over preceding months, a level of operational patience rarely seen in cybercrime.

Together, these groups represent a two-speed operation: a high-frequency retail campaign targeting everyday developers, and a lower-frequency institutional campaign targeting the organizations where those developers work.

Two Attack Models, One Goal

Model 1: The Fake Job Interview

The most common entry point is a job offer. Targets receive outreach through LinkedIn, Upwork, Freelancer, or crypto-specific job boards from what appear to be legitimate recruiters. The roles are lucrative, remote, and relevant to the developer's background. Web3 developers, AI engineers, and cryptocurrency professionals are most frequently targeted, chosen because their machines routinely hold high-value credentials and elevated system privileges.

The recruitment process is professionally constructed. In late 2025, security firm Validin uncovered a North Korean-operated job platform that mimicked Lever, a widely used hiring tool, with polished branding, dynamically generated job listings, and a full multi-step application workflow. The platform included a fake role at Anthropic. The goal was not to hire anyone. It was to move candidates through enough authentic-feeling steps that running a piece of software during the coding assessment stage felt normal.

The infection sequence follows a consistent pattern. After initial contact, the candidate is directed to complete a take-home coding assessment hosted on a private GitHub, GitLab, or Bitbucket repository. When the developer opens the project in Visual Studio Code, malware executes automatically via a configuration file called tasks.json that instructs VSCode to run a task the moment a folder is opened. No click required. Simply opening the project is enough.

Model 2: The Fake IT Worker

In the second model, the attacker does not target the developer from outside. They become the developer. DPRK operatives apply for remote positions at Western companies under fabricated identities, using AI-generated resumes, deepfake video for interviews, and voice-changing tools to pass live screening calls. Once hired, they collect a salary remitted to the regime while conducting data exfiltration, deploying malware, and in some cases recruiting accomplices inside the organization.

Mandiant's 2026 threat intelligence report estimates more than 3,000 suspected DPRK-affiliated workers are currently employed inside Western companies, generating over $600 million annually for the regime. Dozens of Fortune 100 companies have unknowingly hired them. The CSIS documented a single facilitator who helped DPRK workers use stolen identities of more than 60 US citizens at over 300 companies, generating $6.8 million over a three-year period.

The scheme has expanded geographically. Following increased US law enforcement pressure, Google's Threat Intelligence Group confirmed in early 2026 that the operation has shifted focus toward Europe, with confirmed infiltrations across the UK, Germany, Portugal, Poland, and Romania.

How AI Changed the Operation

For years, DPRK cyber operations were partially detectable because of operator limitations: imperfect English, inconsistent resume quality, stilted interview responses, and code that showed signs of non-native authorship. Generative AI has systematically eliminated those signals.

Microsoft's March 2026 report on AI as tradecraft documented the scope of this shift. AI tools now serve across the entire DPRK attack chain: writing tailored resumes and cover letters indistinguishable from those of experienced Western developers, scripting interview answers calibrated to specific job requirements, summarizing stolen data for further exploitation, and debugging malware to remove errors that would otherwise reveal it during analysis.

Inside the HexagonalRodent operation, Expel's researchers identified direct use of ChatGPT and the AI coding tool Cursor by the threat actors themselves, who used these tools to work through credential recovery workflows, refine social engineering scripts, and iterate on malware code. Expel notified both OpenAI and Cursor of the activity.

Real-time deepfake video tools now allow DPRK operatives to present a synthetic Western face during live video interviews. Voice-changing tools modify speech patterns and accent. AI interview copilots coach operators through technical screening calls in real time. The combined effect: a Korean-speaking operator, using a Korean-language Windows installation behind a commercial VPN, can present convincingly as an experienced Western software engineer throughout the entire hiring process.

What Happens After Infection

Once a developer opens the backdoored coding assessment, three malware families work in sequence.

BeaverTail, written in NodeJS, executes first. It functions as both an infostealer and a downloader. It targets browser-saved passwords, cryptocurrency wallet files, macOS Keychain contents, and SSH keys, and it downloads and stages the next payload.

OtterCookie, also written in NodeJS, provides persistent access through a WebSocket tunnel back to attacker infrastructure, enabling a reverse shell for lateral exploration. It sends a continuous stream of credential and wallet data back to the command-and-control server.

InvisibleFerret, written in Python, acts as a pure remote access tool. It provides operators with interactive shell access for extended operations, used when the target environment appears to contain high-value credentials worth manual investigation.

The entire toolkit blends into legitimate developer activity. NodeJS and Python processes are normal on a developer's workstation. Traditional endpoint detection tools that inspect executables and known signatures are poorly equipped to identify these payloads, which live inside interpreter environments that development tools routinely use.

Expel gained access to the attackers' internal tracking infrastructure and found a panel organized like a corporate performance management system: at least six teams with 31 identified members, each ranked by wallet haul. Between January and March 2026 alone, these teams exfiltrated 26,584 cryptocurrency wallets from 2,726 infected developer systems, generating up to $12 million in stolen funds.

The Bigger Picture

The developer-targeting campaign is one component of a much larger and more consequential operation. According to blockchain intelligence firm TRM Labs, North Korean hacking groups were responsible for 76% of all cryptocurrency stolen globally in the first four months of 2026, approximately $577 million out of $759 million in total losses. That share has climbed steadily: under 10% in 2020 and 2021, rising to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. North Korea's cumulative crypto theft since 2017 now exceeds $6 billion.

Those funds are not going to personal enrichment. The US Treasury, the FBI, and the UN Panel of Experts have all documented the direct link between DPRK cyber theft and the financing of ballistic missile testing and nuclear weapons development. When a developer's seed phrase is stolen, it is revenue for a state weapons program.

The Drift Protocol breach illustrated how patient and methodical the institutional-level operations have become. DPRK proxies spent months cultivating relationships with Drift employees before the technical attack began. They exploited a Solana feature called a durable nonce, which extends the validity window of a pre-signed transaction from 90 seconds to indefinite, to pre-load authorized withdrawal transactions weeks in advance. On April 1, those transactions executed automatically. Thirty-one withdrawals drained $285 million in approximately twelve minutes. The operation demonstrated a level of technical precision and operational security that most criminal organizations cannot sustain. North Korea can, because it is a state.

Defensive Takeaways

Final Thoughts

North Korea's developer-targeting campaign is unusual in the threat landscape for several reasons. It is a state intelligence operation that looks indistinguishable from ordinary job-seeking activity. It targets individuals rather than organizations, which means the attack surface is distributed across millions of developers who have no reason to expect a state-level adversary in their inbox. And it funds one of the most dangerous weapons programs on Earth.

The integration of AI has removed what were previously the operation's most visible weaknesses. Detection signals that once pointed to non-native operators (imperfect language, inconsistent resumes, stilted interview performance) have been largely eliminated. What remains is a threat that is fast, scalable, and patient in equal measure: fast enough to drain 26,000 wallets in a single quarter, scalable enough to have placed thousands of operatives inside Western companies, and patient enough to spend months cultivating trust before a single dollar is taken.

The defensive response does not require advanced tooling. It requires awareness of the threat, verification habits that treat unsolicited job opportunities as a potential attack surface, and organizational procedures that treat remote access as a privilege requiring continuous validation rather than a convenience that can be assumed.