Hudson Rock’s InfoStealers unit published a forensic report on December 3 that details a LummaC2 infostealer infection on a North Korean APT developer workstation they link directly to the February 21 Bybit hack that drained roughly $1.4–$1.5 billion in crypto.
Bitcoin trades near $93,400 today, up about 1% on the day, with BTC holding a market cap near $1.86 trillion after the Bybit incident, which analytics firms including Elliptic and TRM Labs describe as the largest single crypto heist on record.
Hudson Rock states that LummaC2 harvested credentials, browser data, and environment details from the infected Windows machine, including an email address, [email protected], that Silent Push had already associated with the registration of the phishing domain bybit-assessment[.]com just hours before the Bybit theft.
“The victim was a high-level North Korean threat actor operating a sophisticated malware development rig,” Hudson Rock wrote, adding that the shared
trevorgreer9312credential “connects this developer rig directly to the infrastructure used in one of the largest financial cyber-attacks in history.”
The workstation snapshot shows Visual Studio Professional 2019 installed alongside Enigma Protector, which the report says the operator used to pack binaries and evade antivirus products, plus Astrill VPN configured to exit via a United States IP address.
Hudson Rock lists Dropbox with an upload_vps folder tree, Slack and Telegram clients, and multiple saved VPN and browser profiles, which together suggest an operational setup for building, testing, and pushing malware, then exfiltrating payloads and stolen data through cloud storage.
Chrome and Edge history on the compromised machine shows MetaMask onboarding flows, BitPay troubleshooting pages, and repeated logins to domain registrars, as well as purchases for domains like callapp.us and callservice.us that hosted Zoom-branded phishing sites.
Elliptic and other blockchain analytics firms previously tracked the Bybit attacker moving large batches of stolen Ether into Bitcoin and dispersing the funds across roughly 4,400 BTC addresses, with Cointelegraph and TechCrunch reporting that the group laundered over $600 million in ETH through THORChain and related routes within a week of the hack.
Bybit has since told customers via public posts and third-party coverage that it replaced the full $1.4 billion Ether shortfall within about 72 hours using loans, whale deposits, and market purchases, and that it will publish updated proof-of-reserves to confirm a 1:1 backing of client balances.
Hudson Rock’s report includes an interactive simulator that recreates the infected rig’s environment, giving defenders a detailed view of the malware build chain, VPN routes, and credential reuse patterns inside the North Korean operation.
The Institutional Take
For desks, this LummaC2 leak turns the Bybit hack from a pure loss event into an intelligence event, because it exposes reusable indicators on the attackers’ own tooling stack, VPN provider, and account reuse habits, which compliance teams can now wire into withdrawal heuristics and sanctions screening; that reduces tail risk for exchanges willing to spend on detection, while raising it for under-secured venues that still treat endpoint hygiene for staff and vendors as a secondary concern.
