In a twist of irony that cybersecurity researchers dream about, a North Korean state-sponsored hacker has been infected by the very thing they usually deploy: commodity malware. A high-end machine belonging to a malware developer was compromised by the LummaC2 infostealer, leaking gigabytes of internal data and revealing direct links to the massive $1.4 billion Bybit crypto exchange heist.
It seems that even elite state-backed operatives aren’t immune to clicking the wrong link.
The discovery comes from cybercrime intelligence firm Hudson Rock (as reported by HackRead), who stumbled upon a LummaC2 log that looked… different. Instead of the usual stolen Netflix passwords and crypto wallets from random victims, this log contained the digital footprint of a professional malware development rig.
The infected machine wasn’t your average laptop. It was a powerhouse running a 12th Gen Intel Core i7 with 16GB of RAM, loaded with tools of the trade: Visual Studio Professional 2019, Enigma Protector (for packing malware), and a suite of communication apps like Slack, Telegram, and BeeBEEP.
The most explosive find in the stolen logs was a direct connection to the Bybit crypto heist from February 2025, where attackers drained $1.4 billion. The infected machine contained credentials for an email address that had been flagged by threat intelligence firm Silent Push. This reminds us of the recent Cryptomixer takedown, where law enforcement seized infrastructure used to launder such stolen funds.
This specific email was used to register bybit-assessment.com just hours before the heist began. This domain played a crucial role in the attack infrastructure, impersonating the exchange to facilitate the theft.
While the owner of this machine might not have pressed the “steal” button themselves, they were clearly part of the supply chain—building tools, setting up phishing domains, or managing infrastructure for the operation.
The logs offer a rare glimpse into the daily operations of North Korean cyber units (likely Lazarus Group or a sub-group):
- VPN Usage: The operator used Astrill VPN to route traffic through the US, a common tactic to mask their location.
- Language Slip-ups: Despite browser settings defaulting to Simplified Chinese (a common disguise), the translation history revealed direct queries in Korean.
- Phishing Prep: The machine showed evidence of setting up other campaigns, including domains like zoom.callapp.us, likely used to distribute fake Zoom installers infected with malware.
LummaC2: The Equal Opportunity Infostealer
It’s almost poetic that a sophisticated state actor was compromised by LummaC2, a “malware-as-a-service” infostealer available to anyone with a few hundred dollars. LummaC2 doesn’t care if you’re a grandmother in Ohio or a hacker in Pyongyang; if you run the file, it steals your data.
This incident highlights a critical reality: OpSec is hard, even for the pros. One mistake, one infected download, and a secret state operation is laid bare for security researchers to dissect.
For the rest of us, it’s a reminder that no one is invulnerable. If a North Korean malware developer can get infected by an infostealer, so can you. But unlike them, you probably don’t have a $1.4 billion heist to hide.
