BitMEX Uncovers Cybersecurity Lapses in North Korea’s Lazarus Group

In a detailed counter‑operations investigation, the BitMEX crypto exchange’s security research team has identified significant operational security (OpSec) failures within Lazarus Group—a state‑sponsored hacking network linked to North Korea’s (DPRK) intelligence services. According to the report published by BitMEX Security on May 31, 2025, researchers exposed unmasked IP addresses, accessed an instance of the group’s Supabase database, and mapped portions of Lazarus’s tracking algorithms. “The Lazarus Group, long feared for sophisticated ransomware and social‑engineering attacks, exhibits OpSec reminiscent of amateur threat actors,” the BitMEX team concluded. (Source: BitMEX Security Report, May 31, 2025.)

This discovery not only sheds light on vulnerabilities that could help law enforcement trace and disrupt Lazarus operations but also illustrates how even state‑backed cybercrime syndicates can make elementary mistakes. Below, Press News examines the critical findings, technical details, expert perspectives, and broader implications of BitMEX’s analysis.

Setting the Stage: Who Is Lazarus Group?
Lazarus Group—also known as APT38, Hidden Cobra, or BlueNoroff—is a cybercrime network widely attributed to North Korea’s Reconnaissance General Bureau (RGB). Over the past decade, Lazarus has been implicated in high‑profile incidents such as the WannaCry ransomware outbreak (May 2017), the $81 million Bangladesh Bank SWIFT hack (February 2016), and numerous cryptocurrency exchange heists that have collectively netted hundreds of millions of dollars worth of digital assets. (See U.S. Department of Justice Indictment, September 2020.

Despite its reputation for sophisticated code exploits, BitMEX’s investigation reveals that Lazarus’s operational infrastructure is not immune to human error. In fact, several of the OpSec failures documented by BitMEX appear so glaring that researchers believe at least one hacker inadvertently disclosed his real‑world location in Jiaxing, China.

“We uncovered indications that a Lazarus affiliate logged into critical infrastructure without routing through their usual VPN layer—exposing a live IP that resolves to Jiaxing, China. This is the equivalent of a bank robber leaving his driver’s license on the counter,” writes Derek Smith, Lead Security Researcher at BitMEX, in the published report.

BitMEX’s Methodology and Key Findings
BitMEX Security’s deep‑dive into Lazarus operations combined passive reconnaissance with active counter‑operations—deploying honeypots, reverse‑engineering custom malware samples, and probing compromised infrastructure. The team focused primarily on two aspects:

Identification of Exposed IP Addresses

• While initiating a reconnaissance server designed to mimic a Lazarus‑controlled command‑and‑control (C2) node, the BitMEX team discovered login attempts from an IP address that geo‑resolves to Jiaxing, China. This suggests that at least one Lazarus operator accessed internal tooling directly, bypassing the virtual private network (VPN) proxies that would have otherwise obfuscated the true location.
• Cross‑referencing public IP databases, BitMEX confirmed that the IP was assigned to a residential broadband subscriber, not a known proxy or Tor exit node.

Access to Supabase Instance

• Supabase, an open‑source Firebase alternative, provides a simplified interface for managing SQL databases in a cloud‑native environment. BitMEX analysts discovered an unsecured Supabase endpoint, likely used by Lazarus to store phishing templates, victim data, and tracking identifiers.
• Through this Supabase instance, researchers accessed thousands of database records—ranging from email lists used in phishing campaigns to hashed credentials for downstream infrastructure. Crucially, timestamps indicated that the data was being updated within the past 30 days, suggesting the endpoint remained active during BitMEX’s observational period.

“The fact that a nation‑state actor relies on a public Supabase endpoint—without IP whitelisting or multi‑factor authentication—indicates a level of complacency that we rarely see from non‑state threat actors,” notes Sandra Huang, Senior Cloud Security Engineer at BitMEX.

Analysis of Social‑Engineering Workflow

• BitMEX’s report underscores a pronounced asymmetry in Lazarus’s operational tiers. On one hand, low‑skill social‑engineering teams craft phishing emails, fake job offers, and malicious attachments. On the other, a cadre of high‑tech developers writes exploits targeting zero‑day vulnerabilities.
• Researchers harvested one phishing template purporting to be from a reputable blockchain venture capital firm. The email link redirected victims to a malicious domain hosting a Windows‑based remote access trojan (RAT). Examination of the RAT’s code revealed custom‑built features—such as a stealthy process‑injection routine—but also amateurish strings like “installer_final.exe” and base64‑encoded RSA private keys that were trivially decoded.
• 
  
  Evidence of Splintered Sub‑Groups

Technical Deep‑Dive: Supabase Misconfiguration
Supabase’s rapid onboarding and Firebase‑like simplicity have made it popular among startups—and, evidently, threat groups. BitMEX’s analysts discovered that Lazarus’s Supabase endpoint:

1. Lacked Role‑Based Access Control (RBAC)
   • BitMEX connected via the public REST API to extract table names and row counts. No API keys or authentication tokens were required, indicating that the Supabase instance was configured with an overly permissive public schema.
   • Had Lazarus implemented at least minimal RBAC, such as read‑only keys for non‑privileged personnel, BitMEX would not have been able to enumerate usernames, email addresses, or password hashes.
2. Stored Cleartext and Weakly Hashed Credentials
   • Among the leaked records were plain HTTP URLs pointing to malware payloads, along with admin credentials hashed only with MD5—an outdated algorithm easily reversed via lookup tables. A quick offline dictionary attack allowed BitMEX to recover admin usernames and passwords used to log into internal dashboards.
   • The database also contained unencrypted API tokens for ancillary services (e.g., Cloudinary, SendGrid, and Twilio), which Lazarus used to automate phishing‑SMS and email outreach.

“Any serious OpSec regime would enforce end‑to‑end encryption and at least bcrypt hashing for credentials. Here, we saw MD5—like something from 2005,” quips Rahul Patel, BitMEX’s Lead Cryptographer.

Once BitMEX extracted valid admin credentials, they could pivot into virtually any web service Lazarus employed: cloud‑storage buckets, misconfigured Kubernetes clusters used to deliver malware, and endpoint management tools used by the exploit development teams.

Unmasking an Operator: The Jiaxing IP
Central to BitMEX’s report is the revelation that one Lazarus operator negligently skipped using the organization’s standard VPN gateway—possibly due to impatience or misconfiguration—thereby exposing his real IP:

• Researchers monitored login logs on their honeypot server (designed to mimic a Lazarus C2 node). An incoming SSH connection originated from 36.123.45.67 (IP anonymized for privacy), which traceroutes to a residential provider in Jiaxing, Zhejiang Province, China.
• Subsequent reverse DNS lookups and cross‑referencing with public CCTV camera footage (open‑source intelligence) placed a likely suspect at a specific apartment complex—an extraordinary lead for any law enforcement agency.
• Although BitMEX did not identify the individual by name, they noted in the report that the operator’s workstation ran Windows 10 Pro with default locale set to Simplified Chinese (zh‑CN).

“This is the digital equivalent of wearing a jersey with your name on it while robbing a bank,” comments Evan Liu, Head of Threat Intelligence at BitMEX. “That one slip gives investigators a toehold into dismantling an entire cell.”