LummaC2 Infects North Korean Hacker Device Linked to Bybit Heist
A North Korean state-sponsored threat actor got infected by the same kind of malware typically used against others, exposing rare insights into their operations and direct ties to one of the largest cryptocurrency thefts on record. For once, the tables turned.
According to Hudson Rock’s report, which the company shared with Hackread.com, one of the most telling details came from credentials found on the infected device. Among them was an email address, [email protected], which Silent Push had already flagged in its findings. That same email was used to register bybit-assessment.com, a domain spun up just hours before the Bybit theft.
The forensic data tells its own story. The infected device was a high-end setup, running a 12th Gen Intel Core i7 processor with 16GB of RAM, loaded with development tools like Visual Studio Professional 2019 and Enigma Protector. Enigma is commonly used to pack executables to avoid antivirus detection. This wasn’t someone experimenting in a basement. This was a well-equipped rig used to produce malware and manage infrastructure.
Browser history and application data added more layers. The user routed traffic through a US IP using Astrill VPN, but browser settings defaulted to Simplified Chinese, and translation history included direct Korean language queries. Slack, Telegram, Dropbox, and BeeBEEP were also being spotted installed on the system, all of which point to both internal communications and potential command-and-control use. Dropbox folder structures, in particular, suggested stolen data was being uploaded for later access.