Hudson Rock analyzes a suspected DPRK IT worker machine infected with LummaC2, using the stolen telemetry to expose an Indonesian proxy node tied to fake IT-worker and fraud activity. The investigation began with Funnull CDN credentials in the log, then found the operator using Indonesian-facing aliases, multiple browser profiles, synthetic identities, cloud and hosting accounts, and localized browsing behavior to maintain cover. Installed tools and search history indicate use of OBS VirtualCam, video-editing utilities, AI text/video and voice tools, and deepfake workflows for identity verification and interviews. Browser artifacts also show development and administration of scam infrastructure, including cloned crypto-exchange interfaces, “steal-U” USDT-draining smart-contract source searches, CraxsRAT interest, scam dashboards, wallet segregation, and direct access to fake portals. The case matters for DPRK-focused tracking because an infostealer compromise exposed operational tradecraft, infrastructure laundering links, identity-synthesis tooling, and cryptocurrency-fraud development from inside a suspected operator environment.