In a stunning example of operational security failure, a North Korean cyber operative was unmasked after infecting their own machine with a LummaC2 infostealer—revealing definitive evidence linking them to both the catastrophic Polyfill.io supply chain attack and deep infiltration of a US cryptocurrency exchange.
Key Findings
According to a detailed forensic analysis by Hudson Rock researchers, the DPRK operative made a fatal mistake: downloading a fake software installer that delivered a LummaC2 infostealer sample. The malware exfiltrated over 100 credentials, 7,000+ browsing logs, direct Cloudflare admin access, and thousands of internal Google Translate records that definitively identified the operator’s native language as Korean.
Why This Matters
This investigation reattributes one of 2024’s most significant supply chain attacks. While the Polyfill.io compromise—which affected over 100,000 websites—was initially attributed to Chinese threat actors operating through the “Funnull” CDN company, the forensic evidence now conclusively links the operation to North Korean state-sponsored actors embedded within the Chinese syndicate.
The Polyfill.io Connection
The credential dumps extracted by the infostealer contained:
- Direct developer credentials to Funnull’s DNS management portal
- Master credentials for the
[[email protected]]Cloudflare tenant - Google Translate telemetry capturing real-time discussion of modifying Polyfill domains during the attack
- Internal communications showing Chinese handlers directing the North Korean coder to hide malicious code inside the “GoEdge” CDN build process
Gate.us Infiltration: Inside the Compliance Team
Perhaps the most alarming discovery: the same DPRK operative had successfully infiltrated Gate.us, an American cryptocurrency exchange, under the synthetic persona “Ariel Cruz.” The operative:
- Participated in Google Meet calls with Western compliance vendors (Sumsub) to help define AML/KYC logic
- Intercepted and translated executive communications about biometric data liability
- Exfiltrated internal architecture diagrams showing KYC data routing
- Tested the staging environment using profiles of real FBI fugitives including Bernard Madoff and George Wright
Operational Security Failures
The investigation exposed multiple OPSEC failures:
- “Mental Bridge” workflow: Massive Google Translate telemetry revealed the operative translating English (from US employers) and Chinese (from Funnull handlers) into Korean to comprehend them
- Timezone slip: After crafting an excuse to miss a US meeting, the operative immediately referenced “8 pm Beijing time” in messages to their handler
- Password recycling: Distinct password tiers linked disparate accounts to a single operator
- Stark Industries C2: A password prefixed with “nk” (likely “North Korea”) was isolated for access to Russian bulletproof hosting infrastructure
Japanese Scientific Espionage
Beyond revenue generation, the logs revealed the operative exfiltrated air-gapped network blueprints from Japan’s National Institute for Materials Science (NIMS)—demonstrating a pivot from IT wage theft to strategic state espionage targeting critical infrastructure.
The Performance Improvement Plan
In an ironic twist, internal communications revealed the North Korean operative was placed on a “Performance Improvement Plan” by their Chinese handlers and given a salary cut to $3,000/month for needing “too much guidance”—despite orchestrating massive cyber warfare campaigns.
Implications for Defenders
This case demonstrates:
- The convergence of DPRK IT worker programs with advanced supply chain attacks
- How insider threats can compromise compliance systems from within
- The intelligence value of infostealer telemetry for attribution
- The need for enhanced vetting of remote IT workers, especially in crypto/fintech
Source: InfoStealers.com / Hudson Rock | SecurityWeek
