The Polyfill supply chain attack that hit more than 100,000 websites back in 2024 has now been linked to North Korean threat actors after it was initially tied only to China.
In February 2024, the popular Polyfill.io service, used by websites to deliver JavaScript code for browser compatibility, was acquired by Chinese CDN company Funnull, which then began injecting malicious JavaScript into scripts served from cdn.polyfill.io.
The malicious code, which targeted mobile users with evasion techniques and redirected them to betting or adult sites, was confirmed by security firms Sansec and C/side in June 2024.
The attack affected more than 100,000 websites that embedded the library, prompting widespread recommendations to remove references to the Polyfill domain immediately due to the risk of malicious activity with an even greater impact.
Cloudflare and Google also took action to protect users at the time.
The involvement of Funnull led to the belief that this was a Chinese operation. However, evidence uncovered recently by Hudson Rock, a cybersecurity firm specializing in infostealer malware intelligence, indicates that Funnull was likely just a “corporate front” for an operation that also involved North Korean threat actors.
Hudson Rock has been monitoring data stolen from computers infected with infostealers, including one device used by one or more North Korean hackers. The hacker had downloaded a fake software installer that delivered a LummaC2 malware sample, which collected credentials, browser logs, and other data from the compromised machine.
According to Hudson Rock, the data collected by the malware enabled the security firm to “establish an ironclad chain of evidence linking the North Korean operator to the Chinese syndicate and the Polyfill control panels”.
Hudson Rock said the evidence collected by the malware from the North Korean hacker’s device included credentials for the Funnull DNS management portal, credentials for the Polyfill Cloudflare tenant (proving that the weaponized domain was under the hacker’s control), and conversations regarding the malicious domain configuration changes made in the Polyfill attack.
The security firm believes the goal of the Polyfill supply chain attack was to redirect users to gambling websites owned by the China-based company Suncity Group. This gambling ecosystem was “engineered to launder massive volumes of cryptocurrency back to the North Korean state”, the company said.
North Korean hackers are believed to have stolen more than $2 billion worth of cryptocurrency in 2025.
The data stolen by the infostealer malware from the same North Korean device also revealed details of a different operation in which a North Korean operative secured a job at the cryptocurrency exchange Gate.
The fake worker exploited access to the company’s systems to obtain intelligence on procedures meant to prevent North Korean money laundering.
Related: North Korean APT Targets Air-Gapped Systems in Recent Campaign
Related: Ukrainian Gets 5 Years in US Prison for Aiding North Korean IT Fraud
Related: North Korean Hackers Target macOS Developers via Malicious VS Code Projects
