BitMEX discovers cybersecurity lapses in North Korea hacker group

The BitMEX crypto exchange’s security team discovered gaps in the operational security of the Lazarus Group, a North Korean (DPRK) government-sponsored cybercrime network, following a counter-operations probe into the organization, which exposed IP addresses, a database, and tracking algorithms used by the malicious group.
Security researchers for the exchange say there is a strong likelihood that at least one hacker accidentally revealed his true IP address, which showed the actual location of the hacker to be in Jiaxing, China.
Additionally, the BitMEX researchers say they were also able to gain access to an instance of the Supabase database, a platform for easily deploying databases with simple interfaces for applications, used by the hacking group.
According to the report, the analysis highlighted the asymmetry between the group’s low-skill social engineering teams designed to funnel unsuspecting victims into downloading malicious software and interacting with sophisticated code exploits developed by high-tech hackers.
This asymmetry signals that the North Korean state-affiliated hacking organization has splintered into separate sub-groups, with different levels of threat capabilities working together to defraud users, the BitMEX team said.
The report follows a series of high-profile hacking incidents, social engineering scams, and the infiltration of blockchain and tech companies attributed to the Lazarus Group and other North Korean-affiliated agents.
Related: North Korean spy slips up, reveals ties in fake job interview
Federal law enforcement agencies and governments sound alarm on Lazarus Group
Federal law enforcement agencies and governments worldwide are increasingly probing the activities of hackers associated with the DPRK, sounding the alarm on a number of common scam strategies employed by these threat actors.
In September 2024, the United States Federal Bureau of Investigation (FBI) issued a warning about social engineering scams perpetrated by the DPRK-backed group, including phishing attempts targeting crypto users with fake employment offers.
The governments of Japan, the US, and South Korea echoed the FBI warning in January 2025 and characterized the hacking activity as a threat to the financial system.
A recent report from Bloomberg suggested that world leaders may discuss the threat of the Lazarus hacking group at the next G7 Summit and strategies to mitigate the damage caused by the DPRK-affiliated organization.
Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis