PANews reported on December 5th that, according to Hackread.com, cybersecurity firm Hudson Rock discovered an infected device while analyzing logs from the LummaC2 information-stealing malware. The operator is suspected to be a malware developer within a North Korean state-sponsored hacking group. This device was previously used to build the infrastructure that supported the $1.4 billion theft from the cryptocurrency exchange Bybit in February 2025.

Analysis revealed that the credentials found on the device were linked to domains registered before the attack and used to impersonate Bybit. The device itself was high-end, equipped with development tools such as Visual Studio and Enigma Protector, as well as communication and data storage applications like Astrill VPN, Slack, and Telegram. Its activity also indicated that the attackers purchased the domains and prepared fake Zoom installers to carry out phishing attacks. This discovery provides rare insights into the internal workings of asset sharing within North Korean-backed hacking operations.