The Lazarus APT machine linked to the $1.4 billion theft from Bybit was infected with LummaC2
Hudson Rock connected the dots:
- Infrastructure Link: trevorgreer9312gmail.com found on the infected machine was used to register the domain bybit-assessment[.]com just hours before the theft
- MalDev Pipeline: Visual Studio Pro 2019 and Enigma Protector v7.40
- Attribution Paradox: Traffic was routed through a US IP; browser settings were forced to Chinese-Simplified, but translation history showed queries converting text to Korean
- Financial Motives: Activity logs indicate a strong focus on crypto, including MetaMask and BitPay