According to ChainCatcher, citing Hackread.com, cybersecurity firm Hudson Rock discovered an infected device while analyzing a log of LummaC2 information-stealing malware. The operator is suspected to be a malware developer from a North Korean state-sponsored hacking group.
The device was previously used to build the infrastructure that supported the $1.4 billion theft from the cryptocurrency exchange Bybit in February 2025. Analysis revealed that credentials found on the device were linked to domains registered before the attack to impersonate Bybit. The device itself was high-end, equipped with development tools such as Visual Studio and Enigma Protector, as well as communication and data storage applications like Astrill VPN, Slack, and Telegram. Its activity also indicated that the attackers purchased the domains and prepared fake Zoom installers to carry out phishing attacks. This discovery provides rare insights into the inner workings of asset sharing within North Korean-backed hacking operations.
