Expel tracks HexagonalRodent as a high-confidence DPRK state-sponsored cluster focused on stealing cryptocurrency and NFTs from Web3 developers. The group uses fake job offers and coding assessments that are backdoored through VSCode tasks.json run-on-folder-open behavior or malicious project code, deploying malware families including BeaverTail, OtterCookie, and InvisibleFerret. Expel says the activity is more opportunistic than exchange intrusions by other DPRK-aligned groups, but still exfiltrated up to $12 million in cryptocurrency wallets over three months. The report also links the group to a compromised VSX extension, OtterCookie infrastructure at 195.201.104[.]53, and observed abuse of generative AI tools such as Cursor and ChatGPT for operational support. The findings matter because DPRK developer-focused social engineering can blend employment fraud, malware delivery, credential theft, and supply-chain access.