{"id":31402,"date":"2025-12-08T18:34:50","date_gmt":"2025-12-08T18:34:50","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=31402"},"modified":"2025-12-08T18:34:50","modified_gmt":"2025-12-08T18:34:50","slug":"the-hunter-becomes-the-hunted-north-korean-hacker-infected-by-lummac2-exposing-bybit-heist-secrets","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/the-hunter-becomes-the-hunted-north-korean-hacker-infected-by-lummac2-exposing-bybit-heist-secrets\/","title":{"rendered":"The Hunter Becomes the Hunted: North Korean Hacker Infected by LummaC2, Exposing Bybit Heist Secrets"},"content":{"rendered":"

In a twist of irony that cybersecurity researchers dream about, a North Korean state-sponsored hacker has been infected by the very thing they usually deploy: commodity malware. A high-end machine belonging to a malware developer was compromised by the LummaC2 infostealer<\/strong>, leaking gigabytes of internal data and revealing direct links to the massive $1.4 billion Bybit crypto exchange heist.<\/p>\n

It seems that even elite state-backed operatives aren’t immune to clicking the wrong link.<\/p>\n

The discovery comes from cybercrime intelligence firm Hudson Rock<\/strong> (as reported by HackRead<\/a>), who stumbled upon a LummaC2 log that looked… different. Instead of the usual stolen Netflix passwords and crypto wallets from random victims, this log contained the digital footprint of a professional malware development rig.<\/p>\n

The infected machine wasn’t your average laptop. It was a powerhouse running a 12th Gen Intel Core i7 with 16GB of RAM, loaded with tools of the trade: Visual Studio Professional 2019, Enigma Protector (for packing malware), and a suite of communication apps like Slack, Telegram, and BeeBEEP.<\/p>\n

The most explosive find in the stolen logs was a direct connection to the Bybit crypto heist from February 2025, where attackers drained $1.4 billion. The infected machine contained credentials for an email address that had been flagged by threat intelligence firm Silent Push. This reminds us of the recent Cryptomixer takedown<\/a>, where law enforcement seized infrastructure used to launder such stolen funds.<\/p>\n

This specific email was used to register bybit-assessment.com<\/code> just hours before the heist began. This domain played a crucial role in the attack infrastructure, impersonating the exchange to facilitate the theft.<\/p>\n

While the owner of this machine might not have pressed the “steal” button themselves, they were clearly part of the supply chain\u2014building tools, setting up phishing domains, or managing infrastructure for the operation.<\/p>\n

The logs offer a rare glimpse into the daily operations of North Korean cyber units (likely Lazarus Group<\/strong> or a sub-group):<\/p>\n