BitMEX researchers have uncovered critical security lapses in the operations of North Korea’s Lazarus Group, shedding light on their infrastructure and exposing rare vulnerabilities.
Key Findings:
-
BitMEX identified major security flaws in the notorious Lazarus Group, linked to North Korea.
-
A rare IP leak revealed a hacker’s real location in Jiaxing, China.
-
G7 leaders plan to tackle North Korea’s rising crypto thefts in their upcoming summit.
Lazarus Group’s Operational Weaknesses Exposed
BitMEX’s security team conducted an in-depth investigation, revealing technical missteps that exposed parts of the group’s infrastructure. Among the discoveries were:
-
Exposed IP addresses (including one from China).
-
An unsecured Supabase database used by the hackers.
-
Tracking algorithms employed in their cyber campaigns.
A Rare Mistake: Hacker’s Real IP Leaked
In an unusual slip-up, a Lazarus operative accidentally exposed his real IP address, leading researchers to a location in Jiaxing, China. This is a rare oversight for a group known for its secrecy.
Additionally, BitMEX accessed a Supabase database instance used by the hackers. Supabase, a platform that simplifies database management, indicates that Lazarus is adopting more modern tools in their operations.
Internal Divide: Low-Skill vs. High-Tech Hackers
The report highlights a growing divide within Lazarus:
-
Low-skill teams focus on social engineering (e.g., phishing scams, fake job offers).
-
Advanced developers create sophistic malware targeting blockchain and tech firms.
This fragmentation suggests varying skill levels within the group, with some relying on basic scams while others execute complex cyberattacks.
Global Concerns and Law Enforcement Actions
Lazarus remains a major threat to the crypto industry. Recent warnings from the FBI, Japan, and South Korea highlight their use of fake job offers to infiltrate crypto firms.
Now, the G7 is stepping in. According to reports, world leaders will discuss coordinated strategies to counter North Korea’s cybercrime operations at their upcoming summit.
North Korea’s Crypto Theft Spree: A Growing Crisis
The G7 summit in Canada will address North Korea’s escalating cyberattacks, which are believed to fund its weapons programs.
The Lazarus Group has been linked to multiple high-profile heists, including:
-
$1.4 billion stolen from Bybit (February 2024).
-
Over $1.3 billion stolen in 47 attacks (Chainalysis 2024 report).
North Korea also infiltrates crypto firms by placing rogue IT workers inside companies—a tactic flagged by U.S., Japanese, and South Korean authorities.
Evolving Tactics: Fake Companies & Malware
Lazarus has adapted by:
-
Setting up U.S.-based shell companies to distribute malware (April 2024).
-
Posing as job candidates to breach exchanges (e.g., Kraken’s recent thwarted infiltration).
Final Thoughts: Can Lazarus Be Stopped?
BitMEX’s findings provide crucial insights into Lazarus’ vulnerabilities, offering potential ways to disrupt their operations. However, with their adaptability and state backing, the fight against North Korea’s cybercrime remains an ongoing challenge.
As the G7 prepares to take action, the crypto industry must stay vigilant against social engineering, malware, and insider threats.
