In a shocking twist of crypto security, the BitMEX security team shed light on the notorious North Korean hacking collective, Lazarus Group, uncovering peculiar operational mistakes that can transform the way the sector is safeguarded.
The revelations unveiled between May 31 and June 2, 2025, show how exposed even the globe’s worst hackers are when they are careless.
It started with a classical phishing attempt. One of BitMEX’s employees was solicited on LinkedIn to collaborate on a fake NFT marketplace project — a strategy that reflected the alleged Lazarus modus operandi. Rather than be duped by the scam, the employee flagged the message, which prompted BitMEX’s security team to launch an open-ended investigation.
Drilling deeper, BitMEX associated the attack with a GitHub repository that had malicious code designed to steal credentials and system data. But the major breakthrough came when researchers chanced upon an open Supabase database used by hackers to track infected devices.
This database was no simple list of victims — there were usernames, hostnames, operating systems, geolocations, and most crucially, IP addresses.
BitMEX blog post revealing Lazarus Group database records and IP logs. Source: BitMEX
In an unprecedented error on a rare blunder, a hacker exposed his actual IP address, revealing a residential address in Jiaxing, China, via China Mobile — a working error almost unheard of in state-sponsored cyber attacks.
Combined with the logs revealing VPN accessibility and testing environments, this provided a look inside the day-to-day work of the Lazarus Group.
BitMEX’s real-time monitoring has since collected hundreds of records, allowing the team to track activity patterns and working hours that strangely overlap a normal workday in Pyongyang.
The attack also confirmed an old hypothesis: Lazarus is neither a monolithic group, but rather a combination of subgroups ranging from bad to world-class skill levels. The phishing was amateurish, but the malware and post-exploitation tooling were highly sophisticated.
This internal variation is why the worst of the attacks get caught early, and some actually make it into hardened defenses.
“Throughout the last few years, it appears that the group has divided into multiple subgroups that are not necessarily of the same technical sophistication. This can be observed through… bad practices coming from these ‘frontline’ groups that execute social engineering attacks when compared to the more sophisticated post-exploitation techniques.”
—BitMEX Security Team
The crypto community has responded with relief and increased vigilance. Experts point out that even the most skilled hacker groups fall victim to human error, and that offensive security, e.g., BitMEX’s real-time intrusion detection, is still the best defense against it.
This is a wake-up call for both exchanges and users: watchfulness, rapid response, and sharing threat intelligence are critical. As BitMEX’s case shows, even the most sophisticated cybercriminals can leave a paper trail — if you know where to find it.
Kraken: Best crypto exchange for security & reliability
- Buy, sell, and trade 400+ cryptocurrencies with industry-leading security
- Spot, Futures & Margin trading – leverage up to 5x for advanced traders
- Earn rewards with staking on top cryptocurrencies
- 24/7 customer support and high liquidity for fast trades
- Regulated in the US with strong compliance and security measures
- 13+ million users worldwide
Source:: BitMEX Exposes Lazarus Group: North Korean Hackers Slip Up