BitMEX has successfully intercepted a cyberattack allegedly orchestrated by the notorious Lazarus Group—a North Korean-linked hacking collective. Not only did the exchange neutralize the threat, but it also reverse-engineered the malware payload, uncovering rare operational missteps that shed light on the group’s tactics.
The incident, disclosed Friday, began with a deceptive message on LinkedIn—part of a classic social engineering scheme. While such phishing attempts are common in the crypto world, this one bore the hallmarks of recent Lazarus campaigns that have previously targeted major platforms, including the high-profile Bybit exploit earlier this year.
BitMEX’s investigation revealed IP addresses tied to the attackers and exposed a critical security flaw: an unsecured database used to store stolen data. These findings suggest that even state-linked actors like Lazarus are prone to traceable errors—particularly when roles are divided among teams with varying technical abilities.
Inside the Phishing Attempt and BitMEX’s Investigation
The incident started when a BitMEX employee received a LinkedIn message proposing a collaboration on a Web3 NFT marketplace. The message contained a GitHub link embedding malicious code designed to run on the recipient’s computer.
Instead of clicking the link, the employee flagged the message internally. This alert triggered a deeper investigation, during which BitMEX analysts discovered code tied to “BeaverTail”—a known malware strain previously attributed to Lazarus by Palo Alto Networks’ Unit 42.
The real breakthrough came when analysts discovered the stolen data was being uploaded to an unsecured Supabase database. In a major operational blunder, the attackers had failed to secure the database, accidentally revealing what appeared to be one of their original IP addresses.
Capitalizing on this mistake, BitMEX’s security team built a custom monitoring tool that tracked real-time activity within the database. This allowed the team to observe infection attempts and identify at least ten Lazarus-linked accounts used for malware testing and deployment.
BitMEX noted a sharp contrast in the attack’s execution. While the phishing lure was relatively amateurish, the malware and exfiltration tools were highly sophisticated—suggesting that Lazarus operates with specialized subgroups of differing technical caliber.
Global Pressure Mounts on Lazarus Group Amid Crypto Cyber Threats
The Lazarus Group has long been a focus of international concern, with law enforcement and cybersecurity agencies intensifying scrutiny of its operations. Known for deploying elaborate phishing campaigns disguised as job offers or partnership requests, the group has orchestrated some of the largest crypto heists in history.
In September 2024, the U.S. Federal Bureau of Investigation issued a public alert about such tactics, identifying Lazarus as a persistent threat. By January 2025, the U.S., Japan, and South Korea jointly condemned the group’s activities, calling it a destabilizing force in global finance.
The urgency is growing. According to a recent Bloomberg report, G7 leaders may formally address Lazarus’s cyber activities at the upcoming summit, with proposals expected to include joint cybersecurity initiatives and coordinated diplomatic responses to state-sponsored crypto theft.
Quick Facts
- BitMEX thwarted a phishing attack linked to North Korea’s Lazarus Group, exposing critical security lapses.
- The scheme began with a LinkedIn message promoting a fake NFT project that linked to malware-hosting code on GitHub.
- BitMEX traced the malware to a known strain, “BeaverTail,” and uncovered an unsecured Supabase database used to store stolen data.
- Authorities in the U.S., Japan, and South Korea have increased scrutiny of Lazarus, with G7 leaders expected to address the group’s threat at an upcoming summit.
