Crypto Scams Alert: North Korean Konni Hackers Use AI Malware to Target Devs
The post Crypto Scams Alert: North Korean Konni Hackers Use AI Malware to Target Devs appeared on BitcoinEthereumNews.com.
Key Insights Konni used AI-generated PowerShell malware in their crypto scams to target blockchain developers across APAC. The campaign delivers backdoors via Discord ZIP files with PDF lures and malicious shortcuts. Researchers say LLM-style comments and structure strongly indicate AI-assisted malware development. North Korean-linked Konni hackers have launched a campaign using AI-built malware to target blockchain developers and engineers, according to Check Point researchers. The activity adds to ongoing concerns over crypto scams and state-linked cyber operations targeting digital asset infrastructure. The campaign relies on PowerShell-based backdoors and social engineering lures to compromise development environments and access sensitive crypto-related assets. Konni, also known as Opal Sleet and tracked as TA406, has operated since at least 2014. Researchers believe the group maintains ties to other North Korean threat clusters, including APT37 and Kimsuky. Historical activity shows that Konni has targeted organizations across South Korea, Russia, Ukraine, and several European countries. AI-Built Malware Campaign Shows Risks of Crypto Scams Targeting Developers The crypto scam attack begins with a Discord link that leads to a ZIP archive containing a decoy PDF and a malicious Windows shortcut (LNK) file. When a victim opens the shortcut, it launches an embedded PowerShell loader. The loader extracts a DOCX file and a cabinet archive that contains a PowerShell backdoor, two batch files, and a user account control (UAC) bypass executable. Source: X The shortcut opens the DOCX file and runs one of the batch files included in the archive. The decoy document serves as a lure, suggesting an attempt to compromise development environments. Researchers noted that such access could expose infrastructure details, API credentials, wallet access, and cryptocurrency holdings. The first batch file creates a staging directory for the backdoor and related components. The second batch file creates a scheduled task that runs hourly and masquerades as…
Filed under: News - @ January 26, 2026 10:23 am