TLDR
- BitMEX’s security team has been tracking the Lazarus Group.
- While the attacks are sophisticated, the group has gotten a little sloppy lately.
- The security team was able to find IP addresses and other information on how the group operates.
The Lazarus Group, a notorious North Korean government-backed hacking organization, is known for its extensive cybercrime operations targeting crypto platforms worldwide. Lazarus is infamous for a unique blend of low-tech phishing campaigns and sophisticated post-exploitation techniques.
Recent findings by the BitMEX crypto exchange’s security team may have brought international authorities closer to unraveling the group’s operations, revealing patterns, vulnerabilities, and even a rare slip-up by a hacker.
What Did BitMEX Discover?
BitMEX security researchers conducted a counter-ops investigation following a LinkedIn phishing attempt targeting one of their employees.
The probe uncovered lapses in the operational security (OpSec) of Lazarus, providing insights into their infrastructure and tactics. Their key findings included:
Unmasking IP Addresses
For years, Lazarus members have effectively masked their true locations using VPNs and proxies. However, during the probe, one hacker inadvertently revealed their real IP address.
The address pointed to a residential China Mobile IP in Jiaxing, China, rather than the usual VPN or proxy servers Lazarus is known to use. This rare mistake provided valuable insight into one of the group’s physical locations.
Leveraging a Supabase Database
The investigation also unearthed an exposed Supabase database used by Lazarus. Supabase, a platform that simplifies database deployment for developers, routed sensitive tracking data such as the usernames, hostnames, operating system details, geolocation, and other metadata about victims’ devices.
Due to a common error in configuring database permissions, researchers were able to access these logs and identify patterns that exposed Lazarus operations.
Insights Into the Inner Workings
The database logs revealed recurring usernames, such as “Victor” and “GHOST72,” which were associated with specific VPNs, including Touch VPN and Astrill VPN.
This information, coupled with timestamps, enabled researchers to analyze Lazarus’s active hours, uncover schedules suggesting Pyongyang time-zone alignment, and even locate development activity, hinting at the hackers’ workflow.
A Deeper Look Into Lazarus Tactics
BitMEX’s findings reaffirm how Lazarus blends rudimentary phishing with advanced exploitation techniques. Here’s a breakdown of their approach:
1. Phishing for Initial Access
Lazarus frequently begins attacks with social engineering. The BitMEX employee targeted with phishing received a LinkedIn message about a supposed collaboration on an NFT project. A private GitHub repository was then shared, containing a Next.js/React website designed to lure the victim into running malicious code.
Researchers identified malicious JavaScript embedded within the project. Using analysis tools like Webcrack, they uncovered obfuscated scripts designed to steal credentials, execute commands, and inject malware into victim machines.
2. Advanced Post-Exploitation Techniques
Once access is gained, Lazarus transitions to advanced post-exploitation techniques. An example detailed in the discovery relates to an earlier Bybit breach, where attackers progressed from phishing to accessing AWS accounts, allowing them to compromise security systems fully.
Such transitions indicate their technical expertise and operational segmentation, distinguishing entry-level operatives from post-exploitation specialists.
3. Use of Obfuscated Malware
The recovered JavaScript malware exhibited patterns similar to those seen in past Lazarus campaigns, such as the “BeaverTail” campaign documented by Palo Alto’s Unit 42.
By analyzing their tools, BitMEX researchers confirmed Lazarus’s signature modus operandi, which involves tracking algorithms, malware execution layers, and deceptive JavaScript blocks.
Operational Security Gaps and Their Impact
The errors uncovered during this investigation offer a rare glimpse into the vulnerabilities of an otherwise cunning hacking group:
- Sloppy VPN Use: The accidental use of a residential IP address in Jiaxing, China, demonstrates lapses in adherence to proper VPN protocols, potentially exposing key actors.
- Database Misconfigurations: Leaving Supabase permissions improperly configured was a significant oversight, as it enabled external researchers to access the logs and track their activity.
- Poor Malware Deployment: Commented-out malicious code, as discovered in BitMEX’s investigation, suggests rushed or reused malware structures, further exemplifying disjointed OpSec.
These OpSec gaps could indicate overconfidence or lack of oversight within Lazarus’s increasingly decentralized layers.
The Lazarus Threat to Cryptocurrency
Lazarus has a long history of targeting cryptocurrency platforms, with high-profile breaches at ByBit, Coincheck, and KuCoin on its record, costing the industry billions of dollars. Their tactics pose considerable risks to the burgeoning decentralized finance (DeFi) space and compromise user trust.
- Economic Impact: Multi-million-dollar (sometimes billion) heists can cripple platforms and financially harm investors.
- Erosion of Trust: Frequent breaches harm consumer confidence in cryptocurrency services.
- Intelligence Risks: Sensitive data stolen in these attacks can be leveraged for broader geopolitical initiatives.
Can We Really Stop Lazarus?
Unfortunately…we don’t know. It’s not like the North Korean government has ever, or will ever, play nice with authorities. But now that users and security teams have more information on how they do things, it’s a step closer to preventing them from doing it in the future.
So, in the short term, probably not. But in the long term? It’s definitely possible.
Despite their vulnerabilities, Lazarus remains a dangerous adversary with significant resources and state backing. However, discoveries like BitMEX’s recent findings provide critical intelligence that could aid global efforts to curb their impact.
Shutting Down Lazarus One Mistake at a Time
The battle against Lazarus is far from over, but slip-ups like leaked IP addresses and unsecured databases offer rare opportunities to understand and combat their operations. BitMEX’s findings underscore the importance of vigilance, collaboration, and continuous threat monitoring in an industry plagued by cybercrime.
While Lazarus may continue their methods, their operational vulnerabilities remind us that even the most prolific groups are not invincible. Every mistake brings us closer to shutting them down for good.
About the Author
Leaderboard
Only Top 10 users qualify for monthly $100 drawing.
| Rank | Points | |
|---|---|---|
 1 | Jillianne R. |  119 |
| 2 | Phillip W. | 119 |
| 3 | Baffa O. | 119 |
| 4 | James C. | 119 |
| 5 | Male T. | 119 |
| 6 | Ron B. | 119 |
| 7 | Moses O. | 119 |
| 8 | Saifu A. | 119 |
| 9 | Lidya I. | 119 |
| 10 | Kofi K. | 119 |
| 11 | Mustafe O. | 119 |
| 12 | Musa S. | 118 |
| 13 | Dany T. | 118 |
| 14 | Lalisa F. | 118 |
| 15 | Ernest L. | 118 |
| 16 | Eric A. | 118 |
| 17 | John P. | 118 |
| 18 | David D. | 118 |
| 19 | Barry S. | 118 |
| 20 | Genuine C. | 118 |
| 21 | Dan B. | 118 |
| 22 | James A. | 118 |
| 23 | Menelik G. | 117 |
| 24 | Kyakonye S. | 117 |
| 25 | Asfaw I. | 117 |
| 26 | Khaleeq A. | 117 |
| 27 | Wayne C. | 117 |
| 28 | Mohamed N. | 117 |
| 29 | Hamza K. | 117 |
| 30 | ALIYU Y. | 117 |
| 31 | Soly N. | 117 |
| 32 | David B. | 116 |
| 33 | Nathan H. | 116 |
| 34 | Nour E. | 116 |
| 35 | Bello U. | 116 |
| 36 | Nazeeh K. | 116 |
| 37 | Anselme D. | 116 |
| 38 | Muhammmad H. | 116 |
| 39 | Sherry D. | 116 |
| 40 | Abubeker A. | 116 |
| 41 | Kenneth J. | 115 |
| 42 | Carlos M. | 106 |
| 43 | William M. | 105 |
| 44 | Okello A. | 105 |
| 45 | Obey T. | 101 |
| 46 | Michael R. | 101 |
| 47 | Lucy A. | 99 |
| 48 | David C. | 98 |
| 49 | Hilik T. | 98 |
| 50 | Gabrielle G. | 97 |
| 51 | Kimberley S. | 95 |
| 52 | Mich O. | 94 |
| 53 | Oyetunji S. | 93 |
| 54 | Latrice S. | 92 |
| 55 | THEOBALD S. | 92 |
| 56 | hanad A. | 84 |
| 57 | Pavan C. | 84 |
| 58 | Kyarugaba S. | 83 |
| 59 | Michael M. | 82 |
| 60 | Rosalio S. | 82 |
| 61 | Tha H. | 82 |
| 62 | Hossana E. | 82 |
| 63 | John H. | 82 |
| 64 | PaulShultis S. | 64 |
| 65 | Gashaw N. | 63 |
| 66 | Jeremiah A. | 63 |
| 67 | Alam Z. | 62 |
| 68 | FRANK I. | 61 |
| 69 | Melkamu A. | 61 |
| 70 | Akeem A. | 58 |
| 71 | OSAMEDE O. | 56 |
| 72 | Isaac O. | 56 |
| 73 | Olorunwa M. | 56 |
| 74 | Yashin S. | 55 |
| 75 | Erbs M. | 55 |
| 76 | John S. | 55 |
| 77 | Shiferaw T. | 54 |
| 78 | Richard P. | 54 |
| 79 | Mbongiseni S. | 54 |
| 80 | Christian C. | 54 |
| 81 | james_bolinda | 54 |
| 82 | Ronald H. | 53 |
| 83 | Sean S. | 43 |
| 84 | Kenneth B. | 42 |
| 85 | Aimee B. | 40 |
| 86 | Jamil B. | 40 |
| 87 | Muhammad I. | 37 |
| 88 | Expert E. | 36 |
| 89 | Raz E. | 36 |
| 90 | Juma G. | 35 |
| 91 | Shom S. | 35 |
| 92 | Somadina O. | 35 |
| 93 | Carlos P. | 35 |
| 94 | Kenneth J. | 35 |
| 95 | Ade N. | 35 |
| 96 | jtcraw | 35 |
| 97 | Bekele W. | 32 |
| 98 | Glen M. | 32 |
| 99 | DAVISON P. | 31 |
| 100 | Martins M. | 31 |
 | 0 |
Countdown to next draw
days
hours
minutes
seconds
