- \n
- North Korean hackers stole $12m in crypto in three months using AI tools.<\/li>\n
- A former ransomware negotiator turned out to be an accomplice.<\/li>\n
- UK intelligence: 100 governments have access to commercial spyware.<\/li>\n
- An infostealer was planted in Bitwarden\u2019s developer-facing password manager.<\/li>\n<\/ul>\n<\/div>\n
North Korean hackers stole $12m in crypto in three months using AI tools<\/h2>\n
Over three months, the North Korean hacking group HexagonalRodent stole about $12m in cryptocurrency and infected more than 2,000 Web3<\/a> developers\u2019 machines to steal credentials and gain access to crypto wallets, said<\/a> Expel cybersecurity specialist Marcus Hutchins.<\/p>\n
The campaign relied on \u201cvibe coding\u201d \u2014 generating malware and infrastructure via text prompts to AI systems:<\/p>\n
- \n
- using Anima\u2019s AI web-design tools, the hackers built sites for non-existent IT firms;<\/li>\n
- victims were lured with fake job listings and asked to complete a \u201ctest assignment\u201d that contained malware;<\/li>\n
- all code and correspondence in flawless English were generated with ChatGPT and Cursor.<\/li>\n<\/ul>\n
![\"image\"](\"https:\/\/u1f987.com\/wp-content\/uploads\/img-061dc5d03f9c2f6d-2657443949967204.webp\")
Snippet of the hackers\u2019 code. Source: Expel.\u00a0<\/figcaption><\/figure>\n The expert analysed the hackers\u2019 infrastructure, which they inadvertently left exposed. Their prompts and a database of victims\u2019 wallets leaked online. Hutchins noted the code was filled with English comments and emojis \u2014 a clear sign the software was entirely generated by a LLM<\/span>.<\/p>\n
Hutchins argues that in 2026 Pyongyang made a qualitative leap by using AI to automate every stage of its cyberattacks, turning low-skilled operators into a scaled cyberthreat.<\/p>\n
HexagonalRodent\u2019s work is only part of North Korea\u2019s broader strategy to automate crime, corroborated by reports from other technology firms:<\/p>\n
- \n
- Microsoft reported<\/a> that North Korean operators use AI to generate fake documents, research vulnerabilities and conduct social engineering;<\/li>\n
- Anthropic said<\/a> it blocked attempts by DPRK agents to use the Claude model to refine malware.<\/li>\n<\/ul>\n
In comments to WIRED<\/a>, representatives of OpenAI, Cursor and Anima confirmed misuse of their services. They said accounts linked to the hackers had been blocked; the investigation will help prevent similar incidents.<\/p>\n
A former ransomware negotiator turned out to be an accomplice<\/h2>\n
Angelo Martino, formerly a ransomware negotiator at cybersecurity firm DigitalMint, pleaded guilty to aiding cybercriminals, the US Department of Justice<\/a> said.<\/p>\n
Martino admitted he played both sides in five separate incidents. While ostensibly working for victims, he passed confidential information to operators of the ALPHV\/BlackCat malware and supplied details such as insurance coverage limits and victims\u2019 negotiation strategies.<\/p>\n
Investigators found that Martino maximised the payouts to criminals and took a cut.<\/p>\n
The ALPHV\/BlackCat group operated a CaaS<\/a> model, in which the gang builds and maintains file-encrypting software while \u201caffiliates\u201d deploy it in attacks and share profits with the developers.<\/p>\n
In 2023, law enforcement seized the gang\u2019s dark-web site and released a decryptor that helped more than 500 victims restore systems.<\/p>\n
In 2025, other DigitalMint employees \u2014 Kevin Tyler Martin and Ryan Clifford Goldberg \u2014 aided the same criminals. Together with Martino they earned over $1.2m from just one victim.\u00a0<\/p>\n
Martino pleaded guilty to extortion and faces up to 20 years in prison. Authorities seized $10m in assets from him.<\/p>\n
UK intelligence: 100 governments have access to commercial spyware<\/h2>\n
According to British intelligence, more than half of the world\u2019s governments have access to software capable of hacking devices to steal confidential information, Politico<\/a> reports.<\/p>\n
Media say the barrier to obtaining such surveillance technology has fallen. The number of countries potentially possessing these hacking tools has risen to 100, up from 80 known<\/a> in 2023.<\/p>\n
Commercial spyware developed by private firms \u2014 such as Pegasus from NSO Group \u2014 often relies on vulnerabilities in phone and computer software. Governments say these tools are used only on devices of suspects in serious crimes, including terrorism.<\/p>\n
In recent years, the \u201ccircle of victims\u201d has widened from political critics, opponents and journalists to bankers and wealthy businesspeople, according to UK intelligence.<\/p>\n
In the US, ICE<\/span> is actively using the Israeli-made Graphite tool. Acting agency director Todd Lyons confirmed this to NPR<\/a>.<\/p>\n
According to him, law enforcement uses the software to fight foreign terrorist organisations and fentanyl traffickers who rely on encrypted messengers. The tool can access messages on a phone without any need to click links (zero-click).<\/p>\n
An infostealer was planted in Bitwarden\u2019s developer CLI<\/h2>\n
On 22 April 2026, the official npm<\/span> package of the Bitwarden command-line interface (CLI), version 2026.4.0, was compromised. The repository contained a build with malicious code to steal developers\u2019 credentials.<\/p>\n
Several security firms analysed the supply-chain compromise and assessed the incident:<\/p>\n
- \n
- JFrog<\/a> experts found the package used a custom loader, bw_setup.js, to stealthily execute a spying script. The malware collected npm and GitHub tokens, SSH keys, and credentials for AWS<\/span>, Azure and Google Cloud;<\/li>\n
- OX Security<\/a> discovered that the encrypted stolen data were exfiltrated by automatically creating public repositories on the victim\u2019s GitHub account. The repos were tagged \u201cShai-Hulud: The Third Coming,\u201d and the malware could self-propagate;<\/li>\n
- Socket<\/a> confirmed the malware targeted CI\/CD<\/span> infrastructure. It also found technical links to the recent supply-chain compromise at Checkmarx<\/a>.<\/li>\n<\/ul>\n
The attack is attributed to the TeamPCP group, previously behind large campaigns against developers of Trivy and LiteLLM<\/a>. Experts strongly urged developers to rotate all keys and tokens immediately if they interacted with the affected CLI.<\/p>\n
Bitwarden removed the tainted version just 90 minutes after the attack began and confirmed<\/a> that user vaults and passwords remained safe.<\/p>\n
Apple fixed a bug that let the FBI read deleted Signal notifications<\/h2>\n
Apple released<\/a> a patch and a security advisory after the FBI gained access<\/a> to Signal message notification content via iOS even after the app had been deleted.<\/p>\n
\n
We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco<\/a> reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted. <\/p>\n
Apple\u2019s advisory confirmed that the bugs that allowed this to\u2026<\/p>\n
\u2014 Signal (@signalapp) April 22, 2026<\/a><\/p><\/blockquote>\n
- OX Security<\/a> discovered that the encrypted stolen data were exfiltrated by automatically creating public repositories on the victim\u2019s GitHub account. The repos were tagged \u201cShai-Hulud: The Third Coming,\u201d and the malware could self-propagate;<\/li>\n
- Anthropic said<\/a> it blocked attempts by DPRK agents to use the Claude model to refine malware.<\/li>\n<\/ul>\n
- Microsoft reported<\/a> that North Korean operators use AI to generate fake documents, research vulnerabilities and conduct social engineering;<\/li>\n