LummaC2 Infects North Korean Hacker Device Linked to Bybit Heist

A North Korean state-sponsored threat actor got infected by the same kind of malware typically used against others, exposing rare insights into their operations and direct ties to one of the largest cryptocurrency thefts on record. For once, the tables turned.

The infection was picked up by Hudson Rock, a cybercrime intelligence firm, during analysis of a LummaC2 infostealer log. What looked like a routine infection turned out to be anything but. The compromised machine belonged to a malware developer operating within North Korea’s state-linked cyber apparatus.

****Links to $1.4 Billion Bybit Crypto Exchange Breach****

Hudson Rock matched the data against earlier findings from threat intelligence company Silent Push. Both investigations pointed to the same thing – the infected machine had been used in the setup that supported the $1.4 billion Bybit crypto heist.

It is worth noting that the Bybit data breach, which targeted the crypto exchange in February 2025, has long been linked to North Korean threat actors, widely believed to be connected to the Lazarus Group.

According to Hudson Rock’s report, which the company shared with Hackread.com, one of the most telling details came from credentials found on the infected device. Among them was an email address, [email protected], which Silent Push had already flagged in its findings.

That same email was used to register bybit-assessment.com, a domain spun up just hours before the Bybit theft. Its role was to impersonate the exchange and support the infrastructure behind the attack.

Though the infected system’s user may not have been directly responsible for the heist itself, the data reveals how different parts of a state-sponsored operation share assets. Development rigs, phishing domains, credential sets, and communications infrastructure all flow through shared hands. This machine happened to be one of them, exposing details typically hidden behind VPNs and fake identities.

****Specs and Tools of the Compromised Device****

The forensic data tells its own story. The infected device was a high-end setup, running a 12th Gen Intel Core i7 processor with 16GB of RAM, loaded with development tools like Visual Studio Professional 2019 and Enigma Protector.

Enigma is commonly used to pack executables to avoid antivirus detection. This wasn’t someone experimenting in a basement. This was a well-equipped rig used to produce malware and manage infrastructure.

Browser history and application data added more layers. The user routed traffic through a US IP using Astrill VPN, but browser settings defaulted to Simplified Chinese, and translation history included direct Korean language queries.

Slack, Telegram, Dropbox, and BeeBEEP were also being spotted installed on the system, all of which point to both internal communications and potential command-and-control use. Dropbox folder structures, in particular, suggested stolen data was being uploaded for later access.

****Astrill VPN and Fake Zoom Installers****

It’s important to note that Hackread.com’s November 2025 article, written by cybersecurity researcher Mauro Eldritch, reported that North Korean threat actors posing as job candidates for Western IT roles also used Astrill VPN to hide their IP addresses.

The system also revealed preparations for phishing. Domains like callapp.us and callservice.us were purchased, along with subdomains such as zoom.callapp.us, used to trick targets into downloading fake software or updates. The fake Zoom installer’s local IP address was also linked back to this same rig.

There’s no indication the threat actor realised they had been compromised. That’s what makes this so unusual. Infostealers like LummaC2 are usually deployed by attackers to grab browser data, credentials, and wallets from everyday users.

In this case, the malware backfired, exposing a piece of the infrastructure behind one of the most coordinated crypto thefts on record. It gives security researchers a rare chance to examine how a state-linked threat actor sets up and runs their operations. Hudson Rock has even built a simulator replicating the compromised machine, allowing others to inspect software, browser activity, and stolen data for themselves.

Screenshot via Hudson Rock

****A First for Infostealers, But Not for Hacker Exposure****

While this may be the first documented case of a North Korean hacker getting hit by an infostealer, it’s not the first time an operator from the country has had their system compromised. In August 2025, a group of hackers published 9GB of stolen data from the computer of an alleged North Korean threat actor.

The leak exposed internal tools, logs, sensitive documents, and files that appeared to belong to someone directly involved in offensive cyber operations. The incident provided an unusual and valuable peek into the daily environment of a threat actor working within North Korea’s cyber units.

Going further back, in July 2020, another rare breach made headlines, but this time involving Iranian hackers. IBM’s X-Force found a 40GB trove of training videos showing how Iranian operators hijacked email accounts in real time.

The videos showed step-by-step walkthroughs of credential theft, account takeovers, and techniques for maintaining access. While it remains unclear if the full footage was ever made public, the existence of the material gave researchers an unusually close view of the attackers’ methods and internal training resources.

Nevertheless, mistakes like this don’t happen often at that level. When they do, they open a window that rarely stays open for long.