Sansec attributed a set of Magecart-style digital skimming operations against US and European online stores to HIDDEN COBRA based on reused infrastructure and distinctive malware code patterns tied to prior North Korean activity. The actor gained unauthorized access to store code, injected checkout-page skimmers, and exfiltrated payment data to compromised collector sites such as luxmodelagency.com, signedbooksandcollectibles.com, stefanoturco.com, technokain.com, darvishkhan.net, and areac-agr.com. The report describes one campaign using a double-Base64 “clientToken” GET parameter and another using brand-lookalike domains and an “__preloader” image-based exfiltration technique. The activity matters because it extends North Korean cyber operations from banks and cryptocurrency targets into profit-driven card skimming.