THE CORTEX PROTOCOL
🏠Home🚨Threats🧠Insights📚Books
⚠️ MEDIUManalysis

LummaC2 Exposes North Korean Operator Behind Bybit Heist

Category:Threat Alerts
A LummaC2 infostealer infection on a device used by a suspected North Korean cybercriminal has given researchers an unusual inside view into infrastructure linked to the $1.4 billion Bybit cryptocurrency heist. What's fascinating: Hudson Rock discovered the compromised machine belonged to a malware developer within North Korea's state-linked cyber apparatus—the tables turned when their own development rig got infected. The device contained credentials for trevorgreer9312@gmail.com, used to register bybit-assessment.com just hours before the February 2025 Bybit theft. The high-end system (12th Gen Intel i7, 16GB RAM) ran Visual Studio Professional 2019 and Enigma Protector for packing malware. Browser settings defaulted to Simplified Chinese with Korean translation queries, while routing traffic through Astrill VPN using US IPs. Researchers also found phishing infrastructure for fake Zoom installers (zoom.callapp.us) and evidence of stolen data being uploaded to Dropbox.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: The LummaC2 infection of a North Korean operator provides rare telemetry confirming links between commodity infostealers and a $1.4B Bybit heist, reinforcing the risk of large-scale theft for exchanges and custodial services. Even though this incident is primarily intelligence, it highlights how vulnerable hot-wallet infrastructure and operator endpoints are to targeted credential theft and API abuse.

Strategic Intelligence Guidance

  • Require hardened, dedicated workstations for exchange operations and treasury activities, with strict application controls and EDR tuned to detect infostealers like LummaC2.
  • Enforce strong controls on API keys and wallet access, including short-lived tokens, IP allowlisting, device binding, and behavior-based limits on withdrawal and transfer volume.
  • Integrate stealer-log telemetry from trusted intel partners into threat hunting to identify compromised employee, admin, or VIP customer accounts before funds are moved.
  • Adopt layered monitoring for high-value wallets, including drain-detection analytics, anomaly detection on destination addresses, and automated workflows to pause or challenge suspicious withdrawals.

Threats

LummaC2 infostealerNorth Korean crypto theft

Targets

cryptocurrency exchangeswallet infrastructurehigh-value crypto traders

Impact

Financial:1400000000

Tags

#lummac2#north-korea#crypto-heist#bybit#infostealer#threat-intelligence
Intelligence Source: LummaC2 Exposes North Korean Operator Behind Bybit Heist | Dec 5, 2025
More stories in Threat Intelligence