Infostealer on North Korean operative's PC links DPRK to Polyfill.io supply chain attack

A North Korean state-sponsored operative has been linked to the 2024 Polyfill.io supply chain attack that compromised more than 100,000 websites. Hudson Rock published the forensic analysis on March 11, 2026, after recovering over 100 credentials and 7,000 browsing logs from the operative's Windows machine, which was accidentally infected with the LummaC2 infostealer on August 6, 2024.

The operative downloaded a trojanized file from MediaFire disguised as a software installer. LummaC2 exfiltrated the machine's full credential store, browsing history, autofill data, and Google Translate telemetry. The infected hostname was DESKTOP-OG1CFR5, running Windows 10 Enterprise at IP address 192.161.60.132.

Hudson Rock found Cloudflare admin credentials for the polyfill.io domain on the same machine that held developer logins for Funnull's DNS management backend. Funnull, a Chinese CDN company, had acquired the Polyfill.io JavaScript library in early 2024 and weaponized it by June, injecting malicious code that redirected mobile users on 100,000+ websites to gambling and scam domains. Until this report, researchers could only attribute the attack to Funnull. The missing piece was the North Korean connection.

Google Translate URL telemetry proved the operative's native language was Korean. The actor received instructions in English from American employers and in Chinese from Funnull handlers, translated both into Korean to process them, then composed replies translated outward. Internal Funnull chat logs captured the moment Chinese handlers directed the operative (using the persona "Brian") to hide the malicious "injection function" inside the GoEdge CDN build process so open-source users would not detect it.

The same operative had infiltrated Gate.us, an American cryptocurrency exchange, using the fake identity "Ariel Cruz." Working in an administrative role, the DPRK agent sat in Google Meet sessions with Western compliance vendors Sumsub and Elliptic, actively shaping the exchange's AML/KYC (anti-money laundering / know your customer) implementation. Translation logs show the operative intercepted executive emails discussing biometric data liability and vendor pricing, translating them into Korean for study.

It conclusively proves that DPRK IT workers are not merely low-level coders generating freelance wages. They are highly capable advanced persistent threats who embed themselves into the core infrastructure of foreign targets to conduct strategic espionage.

— Hudson Rock wrote in its report

To map detection blind spots, the operative tested Gate.us's staging KYC environment with profiles of real FBI fugitives including Bernard Madoff, George Wright, and Milovan Bjelica. A test using "Saddam Hussein" was approved because the subject was deceased, prompting the exchange's team to flag the failure to Sumsub. The North Korean operative was reverse-engineering the fuzzy matching logic and detection thresholds of Western AML tools from the inside.

Beyond crypto fraud, the investigation revealed state-level espionage. Under the alias "Wenyi Han," the operative infiltrated Japanese IT consultancy LR Techs (lrtechs.co.jp), gaining access to Backlog project management workspaces, Slack channels, and AWS environments. From that supply-chain foothold, the operative exfiltrated air-gapped network blueprints from Japan's National Institute for Materials Science (NIMS).

A prior Hudson Rock investigation on March 3 had first identified the DPRK-Funnull link. That report exposed a different operative after they downloaded GTA 5 cheat software infected with LummaC2. Zach Edwards from Infoblox independently confirmed the infrastructure overlap, finding that Funnull DNS management domains shared reverse PTR records with core Funnull CDN hosts.

Their ability to gain employment writing the very KYC compliance code designed to stop them demonstrates a catastrophic failure of current corporate vetting paradigms.

— Hudson Rock concluded in the report

The Polyfill.io attack had been attributed to Chinese organized crime linked to the Suncity Group gambling operation, but no definitive state actor connection existed before Hudson Rock's findings. Hudson Rock stated it would share unredacted machine data with verified researchers and law enforcement upon request.