Peeking Through The Cyberwalls Of Lazarus Group

The BitMEX crypto exchange’s security team has uncovered critical operational security lapses within the notorious Lazarus Group, a North Korea (DPRK)-sponsored cybercrime syndicate.

The discovery was made during a counter-operations investigation, which exposed sensitive data including IP addresses, a database instance, and tracking algorithms used by the group to orchestrate cyberattacks.

According to the BitMEX report, one of the hackers may have inadvertently revealed their real IP address by failing to activate the VPN typically used to mask their location.

The unmasked IP traced back to Jiaxing, China, potentially offering a rare glimpse into the true geography of the group's operatives.

In a significant find, the BitMEX team also gained unauthorized access to a Supabase database instance—a platform often used by developers to quickly spin up app-friendly databases.

This particular instance appeared to be actively used by the Lazarus Group as part of its operational infrastructure.

BitMEX researchers highlighted a glaring asymmetry in the Lazarus Group’s operations. On one end, relatively unsophisticated social engineering teams were tasked with luring unsuspecting victims—often through fake job offers or phishing emails.

On the other hand, highly advanced developers were responsible for crafting complex malware and code exploits to infiltrate systems and drain assets.

This imbalance, the report suggests, points to a fragmented structure within Lazarus, where sub-groups of varying technical expertise collaborate under a broader state-backed cybercrime strategy.

It also underscores the evolving tactics used to defraud users and penetrate high-value targets in the blockchain and tech industries.

Lazarus Group’s Ongoing Campaign of Cyberattacks

The report arrives amid an ongoing global crackdown on North Korean cybercriminal activity. Law enforcement and intelligence agencies worldwide have intensified scrutiny of Lazarus and its affiliates following a surge in sophisticated hacks and social engineering campaigns.

In September 2024, the U.S. Federal Bureau of Investigation (FBI) issued a formal warning about the group’s activities.

The advisory detailed tactics such as phishing attacks targeting crypto professionals under the guise of fake employment opportunities, a known Lazarus hallmark.

With more cybersecurity professionals and government agencies tracking the Lazarus Group, its evolving tradecraft continues to pose significant threats to the crypto ecosystem.

A recent report from Blooberg suggested that world leaders may discuss the threat of Lazarus hacking group at the next G7 Summit and strategies to mitigate the damage caused by the organisation.