How One Infostealer Infection Solved a Global Supply Chain Mystery and Unmasked DPRK Spies in U.S. Crypto

By Ashish S
How One Infostealer Infection Solved a Global Supply Chain Mystery and Unmasked DPRK Spies in U.S. Crypto

The Fatal Download That Started It All

On August 6, 2024, an endpoint named DESKTOP-OG1CFR5 running Windows 10 Enterprise became the unlikely center of an international investigation. The user, searching for legitimate IT utilities, landed on a MediaFire link offering what appeared to be a full PC setup installer. In reality, the password-protected ZIP archive contained a LummaC2 infostealer payload. Within minutes, the malware began exfiltrating hundreds of credentials, thousands of browser logs, autofill data, and internal communications.

Infostealers like LummaC2 are designed to quietly harvest everything from saved passwords to browser history and cryptocurrency wallet details. In this case, the yield was extraordinary: over 100 credentials, 7,000 browsing records, and direct administrative access to critical infrastructure. What made this infection unique was not the malware itself but the operator behind the keyboard. Forensic analysis of the browsing patterns, translation logs, and credential reuse revealed a state-sponsored North Korean IT worker juggling multiple high-value personas across global platforms.

Building Synthetic Lives: The Persona Architecture

North Korean operatives have perfected the art of synthetic identity creation. This individual maintained at least four distinct personas, each tailored for specific targets. One cluster used emails tied to infrastructure administration roles on LinkedIn, Deel, and AWS. Another focused on developer tools and secure communications. A third, operating as "Ariel Cruz," secured a position at the U.S. cryptocurrency exchange Gate.us, complete with access to compliance systems.

The fourth and most damaging persona belonged to "Brian," whose email brian@funnull.com granted administrator-level control over a content delivery network deeply involved in the Polyfill.io supply chain incident. These identities were not hastily thrown together. The operator maintained segregated Chrome profiles, used translation tools relentlessly to polish English communications, and even recycled passwords in carefully tiered security levels ranging from expendable daily accounts to bulletproof command-and-control infrastructure.

One password prefix stood out: "nk" embedded in access credentials for Russian bulletproof hosting providers. The mnemonic was not subtle. It served as an internal reminder of the operator's true allegiance while working under Chinese syndicate handlers.

Infiltrating America's Crypto Sector

Perhaps the most audacious element was the successful placement inside Gate.us. The operative participated in Google Meet sessions with Western compliance vendors, including Sumsub, helping shape anti-money-laundering and know-your-customer rules. The irony is striking: a sanctioned DPRK actor sat in meetings designed to detect exactly the kind of fraudulent activity funding his regime.

Using the "Ariel Cruz" identity, the spy gained insight into how crypto platforms screen users and wallets. At the same time, the same machine contained 12 carefully segregated cryptocurrency wallets across different browser profiles, ready to receive and launder illicit funds. An automated Telegram gateway even allowed the operator to lease poisoned CDN nodes and wash USDT without manual intervention. This level of integration turned a remote IT job into a direct pipeline for regime revenue.

Connecting the Dots to the Polyfill.io Catastrophe

The Polyfill.io supply chain attack remains one of the largest incidents of its kind. In early 2024, the popular open-source JavaScript library was acquired by a CDN provider and later weaponized. Malicious code injected into the library redirected mobile visitors on more than 100,000 websites toward scam sites and sports betting platforms. For months, investigators traced the operation to a Chinese entity known as Funnull but could not establish a definitive state sponsor.

The infostealer logs provided the missing link. Direct credentials for the Funnull DNS management portal appeared alongside master access to the Polyfill Cloudflare tenant. Browser history captured internal syndicate discussions about changing domains from polyfill.com to polyfillcache.com and instructions on hiding injection code inside the GoEdge CDN build process. Translation logs even recorded handlers complaining when the payload failed to execute properly and directing the DPRK coder on fixes.

These artifacts established an unbroken chain of evidence. The same machine that hosted Gate.us access credentials also controlled the infrastructure responsible for injecting malware into millions of unsuspecting users worldwide. A single infection had solved what had been an impenetrable attribution puzzle.

Beyond Finance: Strategic Espionage Targets

The operation extended far beyond cryptocurrency theft. The compromised endpoint contained exfiltrated blueprints from Japan's National Institute for Materials Science, including sensitive air-gapped network diagrams. This shift from wage theft and crypto laundering to stealing critical infrastructure intelligence underscores the dual-use nature of DPRK IT worker programs.

Operatives secure legitimate remote positions inside Western companies, collect salaries that flow back to Pyongyang, and quietly siphon intellectual property and technical access along the way. In this case, the same individual juggling crypto wallets and supply chain sabotage was also mapping scientific research networks.

OPSEC Failures and the Human Element

Despite sophisticated tradecraft, the operative's reliance on Google Translate created a permanent record of their true identity. Every English message from U.S. employers and every Chinese directive from handlers was routed through Korean translations. This "mental bridge" workflow left thousands of telemetry entries that conclusively pointed to a native Korean speaker operating under Beijing time references.

Even more telling were the internal communications about a burned stolen identity and frantic attempts to bypass SMS verification without triggering alerts. At one point, the Chinese handlers placed the operative on a performance improvement plan and reduced their monthly salary to $3,000 for requiring "too much guidance." State-sponsored espionage, it turns out, still comes with mundane workplace frustrations.

The Broader Implications for Global Security

This single infostealer infection has rewritten the understanding of DPRK cyber operations. It demonstrates how low-cost malware infections on attacker machines can yield high-value intelligence that defeats even the most careful operational security. The convergence of supply chain attacks, remote worker infiltration, and cryptocurrency laundering creates a force multiplier that traditional defenses struggle to address.

Organizations must now assume that any remote developer or IT contractor could be part of a state-sponsored network. Supply chain security requires continuous monitoring of third-party JavaScript libraries and CDN providers. Cryptocurrency platforms need enhanced identity verification that goes beyond surface-level checks. Most importantly, the cybersecurity community must treat infostealer logs not merely as criminal artifacts but as potential windows into nation-state campaigns.

Ashish S
Ashish S
Ashish is a Cybersecurity Student with over 2 years of experience in Cybersecurity Research, Bug Bounty hunting and programming.