• Home
  • cyber
  • Gate.io and Suncity Group: Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea
cyber Cyber Attack

Gate.io and Suncity Group: Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea

Feb 1, 2024 2 min read
Gate.io and Suncity Group: Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea

Polyfill Supply Chain Attack Linked to North Korean Threat Actors

In February 2024, the widely used Polyfill.io service a JavaScript library for browser compatibility was acquired by Chinese CDN company Funnull. Shortly after, the domain cdn.polyfill.io began injecting malicious code into scripts, affecting over 100,000 websites. The malware targeted mobile users, redirecting them to betting and adult sites while employing evasion techniques. Security firms Sansec and C/side confirmed the attack in June 2024, prompting Cloudflare and Google to mitigate risks.

Initially attributed to Chinese actors, new evidence from cybersecurity firm Hudson Rock reveals North Korean involvement. The firm analyzed data from infostealer malware on a device used by a North Korean hacker, uncovering credentials for Funnull’s DNS management portal and the Polyfill Cloudflare tenant. The stolen data also included conversations about malicious domain configurations, establishing a direct link between the North Korean operative and the attack.

Hudson Rock determined that the Polyfill campaign aimed to funnel users to gambling sites operated by China’s Suncity Group, which allegedly laundered cryptocurrency for North Korea. The operation aligns with North Korea’s broader cybercrime strategy, which reportedly stole over $2 billion in cryptocurrency in 2025. Additionally, the same hacker’s device contained evidence of a separate scheme where a North Korean operative infiltrated cryptocurrency exchange Gate.io to gather intelligence on anti-money laundering procedures.

Source: https://www.securityweek.com/polyfill-supply-chain-attack-impacting-100k-sites-linked-to-north-korea/

Gate.io TPRM report: https://www.rankiteo.com/company/gateio

Suncity Group TPRM report: https://www.rankiteo.com/company/suncitygroup

"id": "sungat1773312606",
"linkid": "suncitygroup, gateio",
"type": "Cyber Attack",
"date": "2/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Over 100,000 websites',
                        'industry': 'Web development/CDN',
                        'location': 'Global',
                        'name': 'Polyfill.io',
                        'type': 'JavaScript library service'},
                       {'industry': 'Technology/Cloud Services',
                        'location': 'China',
                        'name': 'Funnull',
                        'type': 'CDN company'},
                       {'industry': 'Gambling/Entertainment',
                        'location': 'China',
                        'name': 'Suncity Group',
                        'type': 'Gambling operator'}],
 'attack_vector': 'Malicious JavaScript injection via compromised CDN',
 'date_detected': '2024-06',
 'date_publicly_disclosed': '2024-06',
 'description': 'In February 2024, the widely used Polyfill.io service, a '
                'JavaScript library for browser compatibility, was acquired by '
                'Chinese CDN company Funnull. Shortly after, the domain '
                'cdn.polyfill.io began injecting malicious code into scripts, '
                'affecting over 100,000 websites. The malware targeted mobile '
                'users, redirecting them to betting and adult sites while '
                'employing evasion techniques. Initially attributed to Chinese '
                'actors, new evidence reveals North Korean involvement, with '
                'credentials for Funnull’s DNS management portal and Polyfill '
                'Cloudflare tenant found on a device used by a North Korean '
                'hacker. The campaign aimed to funnel users to gambling sites '
                'operated by China’s Suncity Group, allegedly laundering '
                'cryptocurrency for North Korea.',
 'impact': {'brand_reputation_impact': 'High (Polyfill.io and affected '
                                       'websites)',
            'operational_impact': 'Malicious redirects to betting and adult '
                                  'sites',
            'systems_affected': 'Over 100,000 websites'},
 'initial_access_broker': {'entry_point': 'Compromised Polyfill.io CDN'},
 'investigation_status': 'Ongoing',
 'motivation': ['Financial gain',
                'Cryptocurrency laundering',
                'Intelligence gathering'],
 'post_incident_analysis': {'root_causes': 'Acquisition of Polyfill.io by '
                                           'Funnull, North Korean hacker '
                                           'access to DNS management portal'},
 'references': [{'source': 'Sansec'},
                {'source': 'C/side'},
                {'source': 'Hudson Rock'},
                {'source': 'Cloudflare'},
                {'source': 'Google'}],
 'response': {'containment_measures': ['Cloudflare and Google mitigations'],
              'third_party_assistance': ['Sansec', 'C/side', 'Hudson Rock']},
 'threat_actor': ['North Korean threat actors', 'Chinese actors (Funnull)'],
 'title': 'Polyfill Supply Chain Attack Linked to North Korean Threat Actors',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'Compromised Polyfill.io service'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.