The recent revelations have connected a widespread supply chain attack on over 100,000 websites to North Korean cyber operatives. Initially, the breach, which involved the Polyfill.io service, was thought to be orchestrated by Chinese actors. However, new evidence points to a more complex collaboration involving North Korean hackers.
Background of the Polyfill Attack
In early 2024, Polyfill.io, a service relied upon by numerous websites for delivering JavaScript code to ensure browser compatibility, was acquired by the Chinese content delivery network company Funnull. Not long after the acquisition, malicious JavaScript began appearing in the scripts distributed from the cdn.polyfill.io domain.
The injected code was specifically designed to target mobile users, employing evasion tactics and redirecting them to illicit betting and adult websites. This malicious activity was confirmed by security experts from Sansec and C/side by mid-2024. As a result, there was an urgent call for website administrators to eliminate links to the compromised Polyfill domain to prevent further security breaches.
Uncovering North Korean Involvement
Despite initial assumptions pointing to a Chinese operation, the cybersecurity firm Hudson Rock uncovered new information suggesting otherwise. Their investigations, which focus on intelligence from infostealer malware, revealed that Funnull might have been a facade for deeper involvement by North Korean threat actors.
Hudson Rock tracked data exfiltrated from devices compromised by infostealers, including one linked to North Korean hackers. This data included a fake software installer that deployed LummaC2 malware, which was capable of harvesting credentials and browser data from affected devices. This evidence provided a direct link between the North Korean operators and the Chinese syndicate controlling Polyfill’s malicious activities.
Implications of the Attack
The stolen data from the North Korean hacker’s device disclosed critical information, such as credentials for managing Funnull’s DNS and access to Polyfill’s Cloudflare settings. This confirmed the attackers’ influence over the domain used in the widespread attack.
Hudson Rock highlighted that the ultimate objective of the Polyfill attack was to direct users to gambling sites affiliated with Suncity Group, a China-based company. This operation served as a mechanism to funnel substantial amounts of cryptocurrency back to North Korea, further emphasizing the scale and sophistication of the attack.
In a broader context, North Korean hackers have reportedly accumulated over $2 billion in cryptocurrency by 2025, showcasing their persistent threat to global financial systems.
The infostealer malware also unveiled another scheme where a North Korean agent infiltrated a cryptocurrency exchange to gain insights into anti-money laundering procedures. Such operations underline the ongoing challenges in combating cyber threats from state-sponsored actors.
As the investigation continues, these findings underscore the critical need for enhanced cybersecurity measures and international cooperation to thwart similar attacks in the future.
