BitMEX Exposes Critical Vulnerabilities in North Korea’s Lazarus Hacking Playbook

Security researchers at BitMEX just dropped a bombshell report—turns out even state-sponsored hackers cut corners. The notorious Lazarus Group, North Korea’s crypto-thieving arm, left glaring flaws in their ops. Who said cybercrime doesn’t have a QA problem?

Active exploits, sloppy OpSec, and enough digital breadcrumbs to trace back to Pyongyang. Maybe they should’ve spent less on propaganda and more on pen-testing. Classic case of ’move fast and break things’—except when you’re stealing millions, that tends to backfire.

Meanwhile, Wall Street still can’t tell a private key from a house key. Priorities, people.

Rare Slip Exposes Lazarus Hacker’s IP Address in China

One key finding suggests that a hacker likely exposed his real IP address during an operation, pinpointing a location in Jiaxing, China — a rare lapse for the highly secretive group.

Researchers also gained access to a Supabase database instance used by the attackers.

Supabase is a platform that simplifies database deployment, and its use by Lazarus highlights the group’s evolving operational tools.

BitMEX’s report underscores a growing divide in the group’s internal structure.

It notes an “asymmetry” between low-skill social engineering teams, responsible for tricking users into downloading malware, and the more advanced developers creating sophisticated exploits.

The fragmentation suggests that Lazarus has splintered into sub-groups with varying capabilities.

While some cells rely on basic social engineering, others deploy complex technical attacks targeting the blockchain and tech sectors.

North Korea is funding its weapons program with cryptocurrency stolen through cyberattacks. Hackers stole more than $50 million from at least three cryptocurrency exchanges between 2020 and mid-2021, according to a U.N. report https://t.co/EkLEJwPjdj pic.twitter.com/edPXkjsaV3

The findings come amid a wider surge in DPRK-linked cyber activity. Global law enforcement agencies continue to investigate the group’s operations.

In September 2024, the FBI warned about phishing scams using fake job offers to lure crypto users.

That warning was later echoed by Japan, South Korea, and U.S. officials, who labeled Lazarus a threat to financial stability.

Now, international concern is growing. A Bloomberg report suggests world leaders may address the Lazarus threat at the upcoming G7 Summit, exploring coordinated strategies to mitigate damage from the group’s activities.

With Lazarus remaining an active force in the crypto threat landscape, BitMEX’s findings offer new insights into the group’s operational vulnerabilities — and potential avenues for disruption.

G7 to Address North Korea’s Crypto Theft Surge

G7 leaders are expected to address North Korea’s escalating cyberattacks and cryptocurrency thefts at next month’s summit in Canada.

While global conflicts remain high on the agenda, Pyongyang’s cyber operations, seen as a key funding source for its weapons programs, are drawing urgent attention from member states seeking coordinated action.

The Lazarus Group, North Korea’s most infamous hacking collective, is believed to be behind a series of major crypto thefts, including a record $1.4 billion heist from exchange Bybit in February.

Chainalysis has claimed that North Korean-linked actors stole over $1.3 billion across 47 separate incidents in 2024 alone.

Beyond external hacks, the regime employs rogue IT workers to infiltrate crypto firms from within — a tactic flagged in a joint warning from the U.S., Japan, and South Korea.

North Korean cyber strategies continue to evolve. In April, Lazarus-linked operatives reportedly set up U.S.-based shell companies to distribute malware to crypto developers.

Kraken recently thwarted an infiltration attempt by a suspected North Korean posing as a job candidate.

BREAKING: KRAKEN CAUGHT A NORTH KOREAN HACKER TRYING TO STEAL IT’S #BITCOIN

THIS IS WILD!! pic.twitter.com/togb4KyBNJ