Malware, Security Operations, Threat Intelligence

North Korean hacker infected by malware, exposing ties to $1.4 billion Bybit heist

Data Hacked North Korea flag. North Korea flag with binary code.

(Adobe Stock)

A North Korean state-sponsored threat actor was inadvertently infected by the same type of malware typically used against other targets, offering a rare glimpse into their operational methods and direct connections to one of the largest cryptocurrency thefts on record. For once, the tables turned on the attackers, with the infection discovered by cybercrime intelligence firm Hudson Rock during analysis of a LummaC2 infostealer log. This unusual incident provided critical insights into the workings of North Korea's cyber apparatus, with further coverage provided by HackRead.

The compromised machine belonged to a malware developer within North Korea’s state-linked cyber operations. Hudson Rock and threat intelligence company Silent Push linked this machine to the infrastructure supporting the $1.4 billion Bybit crypto heist in February 2025, an event long suspected to involve North Korean actors like the Lazarus Group. Credentials found on the device, including an email address used to register a domain impersonating Bybit just before the theft, revealed how different components of state-sponsored operations share resources. The infected system was a high-end development rig equipped with tools like Visual Studio Professional 2019 and Enigma Protector, used for creating malware and managing infrastructure. Browser history indicated the use of Astrill VPN and Simplified Chinese settings, with Korean language queries, suggesting a North Korean operator. Communication tools like Slack and Telegram, along with evidence of stolen data uploads to Dropbox, were also present. The system also showed preparations for phishing attacks, including fake Zoom installers and domains designed to trick users into downloading malicious software.

This incident highlights the interconnectedness of state-sponsored cyber operations, where development, infrastructure and communication tools are shared across different elements of an attack. While mistakes of this magnitude are rare at this level, they offer invaluable insights for security researchers into the tactics, techniques, and procedures of sophisticated threat actors. The exposure of such operational details underscores the persistent threat posed by nation-state actors in the cryptocurrency space and the ongoing need for robust cybersecurity measures and international cooperation to combat these sophisticated criminal enterprises.

Source: HackRead

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BackdoorBotnetBusiness Email Compromise (BEC)Cold Warm Hot Disaster Recovery SiteCorruptionDomain HijackingDumpSecFault Line AttacksInformation WarfareReconnaissance

You can skip this ad in 5 seconds