Bitwarden CLI Compromised, North Korean Hackers Steal $12M via AI, and Crypto Extortionists Busted in Kyiv

Several major cybersecurity incidents emerged this past week — from a North Korean hacking group leveraging AI to steal millions in cryptocurrency, to a compromised password manager and a crypto extortion ring dismantled in Ukraine.

HexagonalRodent Steals $12M in Crypto Using AI-Powered Attacks

North Korean hacking group HexagonalRodent stole approximately $12 million in cryptocurrency and infected over 2,000 computers belonging to Web3 developers over the course of three months. The goal was to harvest credentials and gain access to crypto wallets, according to Expel cybersecurity specialist Marcus Hutchins.

The attacks relied heavily on vibe-coding — generating malicious software and infrastructure through text prompts to neural networks. Using Anima's AI web design tools, the hackers built websites for fictitious IT companies. Victims were lured with fake job postings and asked to complete "test assignments" that contained malware. All code and communications in flawless English were generated through ChatGPT and Cursor.

Hutchins analyzed infrastructure that the hackers inadvertently left exposed, revealing their prompts and a database of victim wallets. The code was filled with English comments and emojis — a clear indicator of full LLM generation.

According to Hutchins, in 2026 Pyongyang made a qualitative leap by using AI to automate every stage of cyberattacks, turning low-skilled operators into a large-scale threat. This assessment is backed by reports from major tech companies: Microsoft documented North Korean operators using AI to forge documents and conduct social engineering, while Anthropic reported blocking DPRK agents from using Claude to refine viruses. Representatives from OpenAI, Cursor, and Anima confirmed the abuse and blocked associated accounts.

Ransomware Negotiator Exposed as Criminal Accomplice

Angelo Martino, a former ransomware negotiator at cybersecurity firm DigitalMint, pleaded guilty to aiding cybercriminals. The U.S. Department of Justice revealed that Martino was playing both sides in at least five separate incidents — while ostensibly representing victims, he was feeding confidential information to ALPHV/BlackCat ransomware operators, including insurance policy limits and negotiation strategies.

Investigators determined that Martino deliberately maximized ransom payments and took a cut of the proceeds. In 2025, two other DigitalMint employees — Kevin Tyler Martin and Ryan Clifford Goldberg — assisted the same criminal group. Together with Martino, they earned more than $1.2 million from a single victim alone. Martino faces up to 20 years in prison, and authorities seized $10 million in assets.

Why This Matters

These incidents highlight several alarming trends in cybersecurity. The use of AI by North Korean hackers dramatically lowers the barrier to entry for sophisticated cyberattacks. Supply chain compromises targeting developer tools like password managers and npm packages threaten the entire software ecosystem. And the Martino case underscores the risk of insider threats even within the cybersecurity industry itself.

100 Governments Now Have Access to Commercial Spyware

British intelligence estimates that over half the world's governments — roughly 100 countries — now have access to commercial software capable of hacking devices to steal confidential information, according to Politico. This marks a significant increase from the 80 countries identified in 2023, with the barrier to acquiring such surveillance technology continuing to drop.

Commercial spyware like NSO Group's Pegasus exploits vulnerabilities in phone and computer software. While governments maintain these tools target only suspects in serious crimes including terrorism, British intelligence notes that the actual victim pool has expanded beyond political dissidents and journalists to include bankers and wealthy business figures.

In the United States, ICE actively deploys the Israeli-made Graphite software. Acting agency director Todd Lyons confirmed to NPR that law enforcement uses the tool against foreign terrorist organizations and fentanyl traffickers who communicate through encrypted messengers. Graphite enables zero-click access to phone data without requiring any user interaction.

Infostealer Injected into Bitwarden CLI Package

On April 22, 2026, the official npm package for the Bitwarden password manager's command-line interface (CLI) version 2026.4.0 was compromised. The repository contained a version with malicious code designed to steal developer credentials.

Multiple security firms analyzed the incident. JFrog researchers found the package used a custom loader called bw_setup.js to silently execute a spy script that harvested npm and GitHub tokens, SSH keys, and credentials for AWS, Azure, and Google Cloud. OX Security discovered that encrypted stolen data was exfiltrated by automatically creating public repositories on the victim's GitHub account, tagged with the string "Shai-Hulud: The Third Coming." Socket confirmed the malware targeted CI/CD infrastructure and identified technical links to a recent supply chain compromise at Checkmarx.

The attack is attributed to the TeamPCP group, previously known for campaigns against developers of the Trivy and LiteLLM projects. Bitwarden removed the compromised version within ninety minutes and confirmed that user vaults and passwords remained secure.

Apple Patches Bug That Let FBI Read Deleted Signal Messages

Apple released a security patch after the FBI managed to access Signal messenger notification content through iOS — even after the application had been deleted from the device.

"We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted. Apple's advisory confirmed that the bugs that allowed this to…" — Signal (@signalapp), original post

Signal stated that after installing the update, all unintentionally stored notifications would be deleted and no new ones would be retained.

Crypto Extortion Gang Busted in Kyiv

Ukrainian law enforcement in Kyiv arrested a group of fraudsters who used platforms Bitcapital and Crypsee to issue cryptocurrency loans, then extorted borrowers and their families. The operation employed a bot farm with 6,000 SIM cards and AI-generated abusive content to harass victims, according to the Cyber Police of Ukraine.

The suspects operated a call center in Dnipro since 2023, using shell companies registered in the United Kingdom and Cyprus as cover. Operators used fake identities and voice-changing software to demand repayment. Even when borrowers repaid on time, the group fabricated non-existent debts and resorted to blackmail and threats. Each victim could be targeted simultaneously by a dedicated team of two to six people adapting their approach to individual vulnerabilities.

Police conducted 44 searches across Dnipropetrovsk region and Kyiv, seizing over 80 mobile phones, computer equipment, cash, and bot farm infrastructure. Estimated damages exceed 5 million hryvnias (approximately $113,000). The suspects face up to 12 years in prison.