Researchers from the Israeli cybersecurity company Hudson Rock discovered a compromised device belonging to a North Korean hacker in the logs of the infostealer Lumma.
Data analysis indicated a direct link between the owner and the infrastructure used for the attack on the Bybit exchange in February. A key piece of evidence was an email address found on the device that had previously appeared in Silent Push reports. This address was used to register a phishing domain just hours before the Bybit incident.
Although the owner of the infected system may not have directly participated in the withdrawal of funds, experts are confident that the machine was part of the overall resource pool of the Lazarus group.
According to analysts, the compromised workstation was powerful enough and specifically equipped for developing hacker software. Despite using a VPN to mask as an American IP, the browser settings were set to Chinese, and the search history contained queries for translation from Korean.
Judging by the activities on the disk, the hacker was preparing a new phishing campaign. Researchers also found traces of domain purchases imitating popular services and local files of fake Zoom installers.
