BitMEX Exposes Lazarus Group: North Korean Hackers Slip Up In a shocking turn of events for cryptocurrency security, the BitMEX security team has dramatically illuminated the operations of the notorious North Korean hacking collective, Lazarus Group. This revelation, unveiled between May 31st and June 2nd, 2025, demonstrates how even the most skilled cybercriminals can be undone by carelessness, offering valuable lessons for safeguarding the entire sector. The story began with a classic phishing attempt targeting one of BitMEX’s employees. The individual was contacted via LinkedIn, solicited to collaborate on a fake NFT marketplace project – a tactic mirroring the alleged modus operandi of Lazarus Group. Recognizing the potential scam, the employee promptly flagged the message, triggering an immediate, open-ended investigation by BitMEX’s dedicated security team. Further investigation linked the attack to a GitHub repository containing malicious code specifically designed to steal credentials and sensitive system data. However, the most significant breakthrough came with the discovery of an open Supabase database utilized by the hackers to track infected devices. This database was far from a simple list of victims; it included usernames, hostnames, operating systems, geolocations, and, crucially, IP addresses. The meticulous nature of this database provided a detailed snapshot of the Lazarus Group’s activities. BitMEX’s blog post, detailing the recovered Lazarus Group database records and IP logs, served as a critical resource for investigators and the wider crypto community.

What emerged was an unprecedented error – a hacker inadvertently exposed his actual IP address, revealing a residential address in Jiaxing, China, through China Mobile. This blatant mistake, virtually unheard of in state-sponsored cyber attacks, was a pivotal moment. Combined with the logs revealing VPN accessibility and testing environments, it offered an unprecedented look into the daily operations of the Lazarus Group. BitMEX’s real-time monitoring capabilities have since collected hundreds of records, allowing the team to track activity patterns and working hours, which surprisingly overlap with a typical workday in Pyongyang. This detailed tracking further solidified a key hypothesis: Lazarus Group isn't a monolithic entity but a combination of subgroups, ranging in skill levels from a mateurish to world-class. The phishing attempt was rudimentary, but the malware and post-exploitation tooling demonstrated sophisticated capabilities. This internal variation is precisely why the most impactful attacks are often detected early, while others manage to penetrate hardened defenses. As BitMEX Security Team noted, "Throughout the last few years, it appears that the group has divided into multiple subgroups that are not necessarily of the same technical sophistication. This can be observed through… bad practices coming from these ‘frontline’ groups that execute social engineering attacks when compared to the more sophisticated post-exploitation techniques."

The cryptocurrency community responded with a mixture of relief and heightened vigilance. Experts emphasized that even the most skilled hacker groups are susceptible to human error, and that proactive offensive security measures – such as BitMEX’s real-time intrusion detection – remain the most effective defense. This case serves as a critical wake-up call for both exchanges and users: vigilance, rapid response, and the sharing of threat intelligence are now more crucial than ever. As BitMEX’s experience illustrates, even the most sophisticated cybercriminals can leave a traceable paper trail – if the right investigators know where to look. The ability to uncover this level of detail highlights the importance of continuous monitoring and analysis in combating evolving cyber threats. The meticulous collection of data and the subsequent investigation underscore the potential for security teams to proactively identify and mitigate risks within the cryptocurrency landscape. Ultimately, this incident reinforces the need for a layered security approach, combining technical safeguards with a heightened awareness of potential vulnerabilities and attack vectors."

Buy, sell, and trade 400+ cryptocurrencies with industry-leading security Spot, Futures & Margin trading – leverage up to 5x for advanced traders Earn rewards with staking on top cryptocurrencies 24/7 customer support and high liquidity for fast trades Regulated in the US with strong compliance and security measures 13+ million users worldwide Get Started on Kraken