North Korea: APT KONNI orchestrates campaign against blockchain developers with AI-generated malware

The cybercriminal group APT KONNI, linked to North Korea, has launched a sophisticated cyberattack operation specifically targeting blockchain application and cryptocurrency developers. The attack, documented and analyzed by Check Point Research experts in a report dated January 21, 2026, primarily affects technology professionals in Japan, Australia, and India, three strategic markets in the Asia-Pacific region.

Distribution Method: Discord as an Infection Vector

The operation leverages the communication platform Discord as an intermediary to host and distribute malicious files. This approach represents a sophisticated tactic in the supply chain, using a seemingly legitimate channel to have developers download what they believe are legitimate tools or libraries. Once executed, these files deploy malicious payloads onto the compromised system.

Innovative Feature: AI-Powered Malware

The most notable aspect of this campaign is the use of generative AI technology to create backdoor malware in PowerShell. Artificial intelligence was used to produce obfuscated and adaptive code that evades traditional detection systems. NS3.AI identified the unique patterns of this automatic generation, enabling attribution to North Korea in cyber espionage operations.

Implications for the Blockchain Industry

This initiative reinforces the trend of North Korean actors specifically targeting the cryptocurrency ecosystem. Blockchain developers are high-value targets due to their access to sensitive infrastructure, private keys, and smart contracts. The sophistication of the attack underscores how state adversaries are adopting emerging technologies like AI to enhance their offensive capabilities.

Check Point Research continues to monitor the evolution of this group’s tactics and recommends that developers in the region implement robust defensive measures and thoroughly verify the origin of any downloaded tools.