North Korean Hacker Infected by LummaC2: Links to $1.4B Bybit Heist Revealed

Dark Web News Analysis

In a rare turn of events, a North Korean state-sponsored threat actor has been infected by the LummaC2 infostealer, exposing critical details about their operations and confirming ties to the massive $1.4 billion Bybit cryptocurrency heist from February 2025.

The Discovery: Cybercrime intelligence firm Hudson Rock identified the infection while analyzing a LummaC2 log. The compromised machine did not belong to a typical victim but to a malware developer operating within North Korea’s state-linked cyber apparatus.

The Connection: By cross-referencing data with threat intelligence firm Silent Push, researchers linked the infected device directly to the Bybit attack infrastructure:

• Shared Credentials: The device contained the email address trevorgreer9312@gmail.com.
• Malicious Infrastructure: This specific email was used to register bybit-assessment.com just hours before the $1.4B theft. The domain was used to impersonate the exchange and facilitate the attack.

Key Cybersecurity Insights

This incident provides an unprecedented “behind-the-scenes” look at state-sponsored OPSEC failures:

• The Hunter Becomes the Hunted: Even sophisticated state actors are vulnerable to commodity malware. The infection likely occurred when the operator accidentally downloaded a malicious file while researching tools or setting up infrastructure, highlighting a critical lapse in operational security (OPSEC).
• Shared Infrastructure: The data reveals that development rigs, phishing domains, and credential sets are shared across different teams within the state-sponsored operation. The compromised machine acted as a nexus for various attack components, including the Astrill VPN (routing traffic through a US IP) and Enigma Protector (used to pack malware).
• Tooling & Tradecraft: The device was a high-end rig (Intel Core i7, 16GB RAM) loaded with Visual Studio Professional 2019 and BeeBEEP (secure LAN messenger). It also contained evidence of phishing preparations, such as the purchase of domains like zoom.callapp.us to host fake Zoom installers.
• Linguistic Fingerprints: Despite using a US VPN, the browser settings were defaulted to Simplified Chinese, and the translation history showed direct Korean language queries, cementing the attribution to North Korean actors (likely Lazarus Group or a sub-cluster).

Mitigation Strategies

While this news highlights a failure by the attackers, organizations can use the exposed intelligence to harden their defenses:

• Block Known Indicators: Immediately block traffic to domains associated with this campaign, such as callapp.us, callservice.us, and any subdomains impersonating Zoom or Bybit.
• Monitor for Astrill VPN: North Korean actors frequently use Astrill VPN to mask their location. Security teams should flag or block commercial VPN exit nodes attempting to access corporate networks.
• Protect Against Infostealers: This incident proves the effectiveness of infostealers. Ensure all endpoints are protected by EDR solutions capable of detecting LummaC2 and other stealer variants to prevent your own employees from becoming an accidental entry point.
• Verify Software Sources: The actors were preparing fake Zoom installers. Enforce strict software allow-listing policies to prevent employees from installing unverified communication tools.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com