Incident responders uncovered troves of new information on a recent North Korean campaign targeting the cryptocurrency holdings of web developers.

Expel’s Marcus Hutchins published a report on a group he called HexagonalRodent, linking the operation to North Korean state-backed actors tracked as “Famous Chollima.”

Hutchins said the group stole up to $12 million in cryptocurrency in the first three months of 2026 through malware attacks on personal devices. The hackers used an array of malware strains – including BeaverTail, OtterCookie and InvisibleFerret – to extract funds from 26,584 cryptocurrency wallets held on 2,726 infected systems. 

Hutchins said their investigation began in October, when they were looking into a…