A rare operational mistake by a North Korean threat actor has given researchers an unusual look inside a hostile cyber operation. According to threat intelligence firm Hudson Rock, the Lumma Stealer malware, typically used by cybercriminals to exfiltrate victims’ data, this time infected the workstation of a North Korean hacker allegedly involved in the $1.4 billion Bybit crypto exchange hack.
How Lumma Stealer Exposed a North Korean Operator
Lumma Stealer is an information-stealing malware (infostealer) designed to automatically harvest browser passwords, cookies, autofill data, crypto wallets, and other sensitive information from compromised systems. When Hudson Rock analysts obtained logs from a Lumma infection, they discovered that one of the affected endpoints was not a victim but an operator’s own workstation linked to North Korean cyber activity.
Among the stolen data, researchers identified the email address [email protected]. This identifier had previously been highlighted by Silent Push in research tying it to infrastructure used in the Bybit incident. Cross-referencing multiple datasets allowed analysts to conclude that the compromised machine was part of the same criminal ecosystem responsible for the Bybit crypto exchange intrusion.
Linking the Compromised Workstation to the Bybit Crypto Exchange Hack
The key pivot point was the registration of the domain bybit-assessment.com using the compromised email address. The domain was created only hours before the Bybit breach in February 2025 and functioned as part of a phishing infrastructure. It mimicked the legitimate Bybit interface, most likely to steal authentication credentials and deliver malicious payloads under the guise of legitimate exchange activity.
The Bybit hack has been attributed to North Korean operators, likely associated with the Lazarus Group, which has a long history of targeting cryptocurrency platforms. Their typical tradecraft includes chains of lookalike domains, fake login portals, and Trojanized applications posing as official crypto exchange clients or financial tools. Public reporting by firms such as Chainalysis has previously estimated that North Korea-linked actors stole over $1.7 billion in cryptocurrency in 2022, underscoring the strategic priority of such operations for Pyongyang.
Technical Profile of the Hacked North Korean Workstation
Telemetry from the Lumma logs revealed that the infected machine was a fully-fledged development and operations workstation rather than a low-value node. The host featured a 12th Gen Intel Core i7 CPU, 16 GB of RAM, Visual Studio Professional 2019, and Enigma Protector—a commercially available packer often used to obfuscate executables, hinder reverse engineering, and bypass antivirus detection.
Browser history and application data added important geopolitical and linguistic context. Traffic from the host was routed through Astrill VPN, exiting to a U.S.-based IP address, while the browser UI was set to Simplified Chinese and translation history included direct queries in Korean. Folder structures in Dropbox indicated that cloud storage was used as a staging and access point for exfiltrated data.
Analysts note that state-backed APT groups frequently reuse shared infrastructure and tooling—the same workstations for development and operations, recurring VPN services, and recycled accounts and domains. While this improves operational efficiency, it also creates single points of failure: a single successful compromise, such as this Lumma infection, can unravel large portions of the adversary’s ecosystem.
Astrill VPN, Fake Zoom Updates and Social Engineering Infrastructure
The use of Astrill VPN by the compromised operator is consistent with previous reporting on North Korean tradecraft. In November 2025, researcher Mauro Eldritch documented campaigns where DPRK hackers impersonated job candidates applying to Western IT firms while hiding their origin behind the same VPN provider, suggesting a stable toolset preference in their operational model.
The Lumma logs also revealed preparation for broad phishing and social engineering activity. The operators registered callapp.us, callservice.us, and the subdomain zoom.callapp.us. This domain structure aligns with a common tactic: sending targets credible-looking links to “Zoom updates” or “corporate communication apps,” which actually deliver a malicious installer. The local IP address associated with the fake Zoom installer mapped back to the same compromised workstation, tying together the domains, malware delivery pipeline, and the infected operator node.
Notably, there were no signs in the telemetry that the operator recognized their own system had been compromised. This enabled Hudson Rock to perform an in-depth analysis of installed software, browser configuration, and stolen data. On top of the report, the company created a simulated image of the compromised machine, making it available to other researchers for training, malware analysis, and security testing.
State-Sponsored Hackers as an Intelligence Source: Lessons from Kimsuky
This is not the first time North Korean operators have been exposed from the inside. In June 2025, the historic ezine Phrack published an investigation titled “APT Down: The North Korea Files”. Hackers using the aliases Saber and cyb0rg detailed their compromise of a member of the Kimsuky espionage group (also tracked as APT43 and Thallium). Examination of that operator’s system revealed tactics, techniques, and procedures (TTPs) as well as repeated operational security failures within the APT.
For blue teams and threat hunters, such incidents are extremely valuable. They demonstrate that even well-resourced state actors are vulnerable to the same malware, infostealers, and misconfigurations they deploy against their targets. When adversary infrastructure is compromised, it effectively becomes an intelligence sensor, feeding defenders new indicators of compromise (IoCs), behavioral analytics patterns, and correlations across seemingly separate incidents.
The Lumma Stealer case around the Bybit operation illustrates that neglecting basic cyber hygiene and over-centralizing infrastructure is dangerous for any side—victim or attacker. Organizations should strengthen monitoring for anomalous activity, segment critical systems, avoid credential reuse, and enforce multi-factor authentication. Regularly consuming public APT reports and adopting threat-informed defense practices based on frameworks like MITRE ATT&CK allows defenders to tailor controls to real adversary techniques and, ultimately, to turn attackers’ own mistakes into strategic defensive advantages.
