BitMEX Uncovers Operational Security Flaws in Lazarus Group

The North Korean state-affiliated hacking group, Lazarus Group, exhibits “amateur-level blunders” in operational security, according to findings from a BitMEX investigation.

Experts identified an IP address, a database, and tracking algorithms used by the cybercriminals.

One group member failed to use a VPN, revealing their actual location in Jiaxing, China. This information was obtained after a hacker contacted a company employee via LinkedIn under the guise of an NFT partnership.

The perpetrator attempted to persuade the victim to run a GitHub project on their computer containing malicious code. According to BitMEX representatives, this tactic is a hallmark of the North Korean group’s activities.

Analysts also gained access to the Supabase platform, used for deploying databases with simple interfaces for applications utilized by Lazarus.

The analysis revealed a connection between the low-skilled social engineering team members and their colleagues responsible for identifying code vulnerabilities. BitMEX suggested the existence of subgroups within the organization with varying levels of expertise.

Back in March 2025, North Korean hackers attempted to breach crypto entrepreneurs via Zoom. In the same month, the hackers launched a new vector of attacks on digital assets through the developer platform GitHub.

In April, Manta Network co-founder Kenny Li disclosed details of an attempted hack, allegedly orchestrated by Lazarus.