THE Polyfill supply chain attack, which hit more than 100,000 websites in 2024 by injecting malicious JavaScript into scripts served from cdn.polyfill[.]io, has now been linked to North Korean threat actors after earlier ties to China. In February 2024, Polyfill[.]io was acquired by Chinese CDN company Funnull, which then began the malicious injections, a move security firms Sansec and C/side confirmed in June 2024.
Hudson Rock recently uncovered evidence suggesting Funnull was likely a corporate front for an operation that also involved North Korean actors, including data stolen from a device used by North Korean hackers that revealed credentials for the Funnull DNS management portal and for the Polyfill Cloudflare tenant, linking the weaponised domain to the attackers.
The security firm said the aim of the attack was to redirect users to gambling websites owned by the China-based Suncity Group, a scheme described as an effort to launder large cryptocurrency volumes back to the North Korean state. North Korean hackers are believed to have stolen more than $2 billion worth of cryptocurrency in 2025, according to the report.
Hudson Rock’s investigation also uncovered details of a separate operation in which a North Korean operative gained access to a cryptocurrency exchange to gain intelligence on anti-money-laundering procedures.