TL;DR
- North Korean hackers shift from infiltration to building fraudulent platforms.
- Tenexium operated on Bittensor before vanishing with $2.5 million.
- UNC2970 used Gemini to profile high-value targets for attacks.
North Korean threat actors shifted from infiltrating existing crypto projects to building their own fraudulent platforms, according to research by Elliptic. The approach caused the Tenexium incident on January 1, 2026, marking the first major hack of the year. The project, built within the Bittensor (TAO) network, attracted liquidity as a trading protocol before its website disappeared and $2.5 million in suspicious outflows occurred.
Tenexium followed standard permissionless project development practices within Bittensor’s architecture, making the fraud harder to detect initially. Investigations revealed some team members may be DPRK hackers posing as IT workers. The difference from previous operations: the DPRK IT persona may be the actual founder, not just an infiltrated team member.
Google’s Threat Intelligence Group revealed the North Korea-linked hacking collective UNC2970 employed the company’s Gemini generative AI model to synthesize open-source intelligence and create profiles of high-value targets during campaign planning operations. The activity demonstrates blurred lines between legitimate professional research and malicious reconnaissance efforts, according to a report shared with security researchers.
UNC2970 utilized Gemini to gather information on major cybersecurity and defense companies while mapping specific technical job roles and salary data. The intelligence enables creation of customized phishing personas and helps identify vulnerable entry points for initial system compromise.Ā
UNC2970 shares overlap with groups tracked as Lazarus Group, Diamond Sleet, and Hidden Cobra, gaining notoriety for conducting “Operation Dream Job” ā a long-running campaign targeting aerospace, defense, and energy sectors by approaching victims with fraudulent job opportunities to deliver malware.
Google documented several other hacking organizations misusing the AI platform. The unattributed group UNC6418 conducted targeted intelligence collection, specifically searching for sensitive account credentials and email addresses.Ā
Chinese threat actor Temp.HEX, also known as Mustang Panda, compiled detailed dossiers on specific individuals including targets in Pakistan while gathering operational and structural data on separatist organizations across multiple countries.Ā
APT31, tracked as Judgement Panda, automated vulnerability analysis and generated targeted testing plans by masquerading as a security researcher. APT41 extracted explanations from open-source tool documentation and used the platform to troubleshoot and debug exploit code.
BeaverTail Malware Targets MetaMask Through Browser Extension Injection in Contagious Interview Campaign
Cybersecurity researcher Seongsu Park published a report on the Contagious Interview campaign, allegedly orchestrated by North Koreans targeting people in cryptoasset and AI industries. Threat actors spread malware while conducting fake job interviews, using new techniques designed to steal sensitive data and subsequently drain victim funds.
According to Park, while criminals use two primary malware families ā BeaverTail and InvisibleFerret ā the BeaverTail variant remains one of the most actively deployed malware tools by DPRK-affiliated threat actors stealing funds. The researcher found the tools receive constant updates. By incorporating manipulation of the MetaMask wallet extension, the campaign became more aggressive and effective in stealing cryptoassets.
After initial infection steps, criminals deploy a script designed to manipulate the victim’s MetaMask wallet. The malware specifically targets the MetaMask cryptocurrency wallet extension, modifying browser configuration files to inject attacker-controlled code intercepting the wallet’s keys. While the MetaMask extension contains thousands of code lines, criminals inject a minimal number to lower detection probability.
The trojanized MetaMask wallet allows attackers to capture the master password when the victim unlocks the wallet. After additional steps, attackers obtain seed phrases and use them to drain funds. Taylor Monahan, security expert and researcher at MetaMask, reacted to the analysis stating criminals “will always find new ways to abuse your product and circumvent any controls you have in place.” Monahan emphasized teams must continuously improve products and operations, warning “if you don’t care enough to stop them, they will undermine everything you’re trying to achieve.“
The evolution from simple infiltration to creating entire fraudulent projects, combined with AI-assisted reconnaissance and increasingly targeted malware, represents a substantial shift in DPRK cyber operations against the crypto sector.
