We’ve compiled the most significant cybersecurity news from the past week.

  • North Korean hackers stole $12 million in cryptocurrency over three months using AI tools.
  • A former ransomware negotiator turned out to be an accomplice.
  • British intelligence: 100 governments worldwide have access to commercial spyware.
  • An info stealer was integrated into the Bitwarden password manager for developers.

North Korean Hackers Stole $12 Million in Cryptocurrency Using AI Tools

Over three months, the North Korean hacker group HexagonalRodent stole approximately $12 million in cryptocurrency and infected over 2,000 computers belonging to Web3 developers to steal credentials and gain access to crypto wallets. This was reported by cybersecurity expert Marcus Hutchins from Expel.

The attack relied on a method called vibe coding, which involves generating malware and infrastructure through text prompts to neural networks:

  • Using AI web design tools from Anima, hackers created websites for fictitious IT companies;
  • Victims were lured in by fake job postings and asked to complete a "test task" that contained malware;
  • All code and correspondence were generated in flawless English using ChatGPT and Cursor.

A fragment of the hacker's code. Source: Expel. 

The expert analyzed the hackers' infrastructure, which they carelessly left exposed. Their prompts and a database of victim wallets leaked online. Hutchins noted that the written code was filled with comments in English and emojis, a clear indication that the software was entirely generated by LLM.

According to Hutchins, by 2026, Pyongyang made a significant leap by using AI to automate every stage of cyberattacks, transforming low-skilled operators into a large-scale cyber threat.

HexagonalRodent's activities are just part of North Korea's global strategy to automate crimes, as confirmed by reports from other tech giants:

  • Microsoft reported that North Korean operators use AI to generate fake documents, study vulnerabilities, and conduct social engineering;
  • Anthropic stated that it thwarted attempts by North Korean agents to use the Claude model to refine viruses.

In comments to WIRED, representatives from OpenAI, Cursor, and Anima confirmed the misuse of their services. They stated that accounts associated with the hackers have been blocked, and the investigation will help understand how to prevent similar incidents.

Former Ransomware Negotiator Turns Out to Be an Accomplice

Angelo Martino, a former ransomware negotiator at the cybersecurity firm DigitalMint, pleaded guilty to aiding cybercriminals. This was reported by the U.S. Department of Justice.

Martino admitted to playing "both sides" in five different incidents. While formally working for the victims, he passed confidential information to the ALPHV/BlackCat ransomware operators and provided hackers with data such as victims' insurance policy limits and negotiation strategies.

The investigation revealed that Martino maximized payouts for criminals, from which he took a cut.

The ALPHV/BlackCat group operated under a CaaS model, where the gang creates and maintains file-encryption software, while "partners" use it in attacks and pay developers a share of the profits.

In 2023, law enforcement seized the hackers' website on the dark web and released a decryption program that helped over 500 victims restore their systems.

In 2025, other DigitalMint employees—Kevin Tyler Martin and Ryan Clifford Goldberg—assisted the same group of criminals. Together with Martino, they earned over $1.2 million from just one of the victims. 

Martino pleaded guilty to extortion and faces up to 20 years in prison. Authorities seized assets worth $10 million from him.

British Intelligence: 100 Governments Worldwide Have Access to Commercial Spyware

According to British intelligence, more than half of the world's governments have access to software capable of hacking devices to steal confidential information. This was reported by Politico.

Media reports indicate that the barrier to accessing such surveillance technologies has lowered. The number of countries potentially possessing such hacking tools has now reached 100, up from 80, as previously known in 2023.

Commercial spyware, developed by private companies like Pegasus from NSO Group, often relies on exploiting vulnerabilities in phone and computer software. Although governments claim these tools are only used on devices suspected of serious crimes, including terrorism.

According to British intelligence, in recent years, the "circle of victims" has expanded from political critics, opponents, and journalists to bankers and wealthy businesspeople.

In the U.S., ICE actively uses Israeli software Graphite. Acting agency director Todd Lyons confirmed this information to NPR.

He stated that law enforcement uses the software to combat foreign terrorist organizations and fentanyl traffickers using encrypted messengers. The software allows access to messages on the phone without needing to click on links (zero-click).

Info Stealer Integrated into Bitwarden Password Manager for Developers

On April 22, 2026, the official npm package for the command-line interface (CLI) of the Bitwarden password manager version 2026.4.0 was compromised. The repository contained a version with malicious code designed to steal developers' credentials.

Several security companies analyzed the infection chain and assessed the incident:

  • Experts from JFrog found that the package used a custom loader bw_setup.js to stealthily launch a spy script. The virus collected npm and GitHub tokens, SSH keys, and access credentials for AWS, Azure, and Google Cloud;
  • At OX Security, it was discovered that the encrypted stolen data was uploaded by automatically creating public repositories on the victim's GitHub. The repositories were labeled with the phrase Shai-Hulud: The Third Coming, and the virus could self-propagate;
  • Socket confirmed that the virus targeted CI/CD infrastructure. They also established a technical link between this incident and the recent supply chain compromise of Checkmarx.

The attack is attributed to the hacker group TeamPCP, which has previously conducted large-scale campaigns against developers of projects like Trivy and LiteLLM. Experts strongly advised developers to immediately change all keys and tokens if they interacted with the affected CLI.

Bitwarden promptly removed the infected version just an hour and a half after the attack began and confirmed the safety of user vaults and passwords.

Apple Fixes Bug That Allowed FBI to Read Deleted Signal Messages

Apple released a fix and security recommendations after the FBI gained access to the content of Signal messenger notifications via iOS, even though the app had been deleted.

We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted.

Apple’s advisory confirmed that the bugs that allowed this to…

— Signal (@signalapp) April 22, 2026

Signal stated that after installing the update, all inadvertently saved notifications will be deleted, and new ones will not be saved.

Police in Kyiv Arrest Collectors Extorting Cryptocurrency Using Bot Farms

In Kyiv, law enforcement arrested fraudsters who used the Bitcapital and Crypsee platforms to provide loans in cryptocurrency. Debtors and their relatives were subjected to harassment using generated offensive content and a bot farm with 6,000 SIM cards, reported the Cyber Police of Ukraine.

According to the investigation, group members organized a call center in Dnipro, operating since 2023 under the guise of companies registered in the UK and Cyprus.

Operators called debtors and, using fake data and voice-changing software, demanded repayment. If clients paid off their loans on time, the fraudsters fabricated non-existent debts. Subsequently, they extorted money through blackmail and threats.

The bot farm was used to generate and distribute humiliating content using data and photos of victims, their relatives, and colleagues, as well as for systematic threatening phone calls.

At the same time, a separate group of two to six individuals could be "working" on a victim, employing various approaches tailored to the individual vulnerabilities of the victims. If successful, each would receive a percentage of the amount transferred by the victim.

Police conducted 44 searches in the Dnipropetrovsk region and Kyiv. They seized over 80 mobile phones, computer equipment, cash, documents, seals, and bot farms.

Preliminary estimates indicate that the total damage exceeded 5 million hryvnias (about $113,000 at the time of writing). The suspects face up to 12 years in prison.

Also on ForkLog:

  • Tether blocked USDT worth $344 million at the request of the U.S.
  • In the UK, raids took place to combat illegal P2P cryptocurrency trading.
  • Cybersecurity experts warned of a new wave of attacks from North Korean hackers.
  • Bloomberg reported on unauthorized access to the AI model Mythos.
  • Hackers attacked Volo and withdrew $3.5 million from WBTC and USDC pools.
  • Journalists learned of a new scheme extorting bitcoin for passage through the Strait of Hormuz.
  • Arbitrum froze 30,000 ETH as part of the investigation into the Kelp hack.
  • Eth.limo regained control over its domain after the easyDNS hack.
  • The Kelp protocol lost $293 million following an attack on its cross-chain bridge.

What to Read This Weekend?

For a long time, the use of cyber weapons for espionage was considered the prerogative of a narrow circle of intelligence agencies. However, a U.S. investigation into Operation Zero revealed the scale of the trade in zero-day vulnerabilities.

Read about shadow markets of states and the cost of hacks in ForkLog's new article.