BitMEX Uncovers Holes in Lazarus Group's Operational Security

The BitMEX security team has made a groundbreaking discovery that exposes amateur-level operational security lapses in the Lazarus Group, a North Korean government-sponsored cybercrime network. This revelation comes as part of a counter-operations probe into the organization, which uncovered IP addresses, a database, and tracking algorithms used by the malicious group.

According to the BitMEX researchers, there is a strong likelihood that at least one hacker accidentally revealed his true IP address, which showed the actual location of the hacker to be in Jiaxing, China. This lapse in security highlights the vulnerabilities of the Lazarus Group's operational structure, which has been touted as an elite hacking organization.

The BitMEX researchers also gained access to an instance of the Supabase database, a platform used by the hacking group for easily deploying databases with simple interfaces for applications. This unauthorized access provides valuable insights into the Lazarus Group's tactics and techniques, shedding light on their operational security weaknesses.

The analysis by the BitMEX team reveals that the Lazarus Group has splintered into separate sub-groups, with different levels of threat capabilities working together to defraud users. The stark contrast between the group's low-skill social engineering teams designed to funnel unsuspecting victims into downloading malicious software and interacting with sophisticated code exploits developed by high-tech hackers signals a clear asymmetry in their operational structure.

This discovery comes as part of a growing concern about the Lazarus Group's activities, which have been linked to several high-profile hacking incidents, social engineering scams, and the infiltration of blockchain and tech companies. The group's tactics have been attributed to North Korean-affiliated agents, who have consistently demonstrated their ability to evade detection and exploit vulnerabilities in the global cybersecurity landscape.

The implications of this discovery are far-reaching, with federal law enforcement agencies and governments worldwide sounding alarm on the activities of hackers associated with the Lazarus Group. The group's social engineering scams, which include phishing attempts targeting crypto users with fake employment offers, have been particularly effective in luring unsuspecting victims into downloading malicious software.

In September 2024, the United States Federal Bureau of Investigation (FBI) issued a warning about social engineering scams perpetrated by the DPRK-backed group. The governments of Japan, the US, and South Korea echoed this warning in January 2025, characterizing the hacking activity as a threat to the financial system.

A recent report from Bloomberg suggests that world leaders may discuss the threat of the Lazarus hacking group at the next G7 Summit and strategies to mitigate the damage caused by the DPRK-affiliated organization. As the global community continues to grapple with the challenges posed by the Lazarus Group, it is essential to remain vigilant and proactive in defending against their tactics.