- BitMEX security found Lazarus Group weaknesses, exposing real IP addresses, a database, and tracking tools used by the hackers.
- Researchers believe one hacker accidentally revealed his real IP address, placing his actual location in Jiaxing, China.
Security analysts at the BitMEX crypto exchange identified weaknesses in the operational practices of the Lazarus Group. This North Korean state-sponsored hacking network was the subject of a counter-operations investigation by BitMEX. The probe revealed specific digital traces left behind by the group.
The investigation uncovered active Internet Protocol (IP) addresses used by the hackers. It also exposed an internal database and tracking tools employed by the malicious actors. BitMEX researchers state a high probability exists that at least one hacker made a critical mistake. This individual appears to have accidentally revealed his real, uncloaked IP address during operations.
Analysis of this IP address places the hacker’s actual location in Jiaxing, China
Furthermore, the BitMEX team gained access to a specific instance of the Supabase database. Lazarus Group utilized this platform. Supabase offers simplified interfaces for deploying and managing databases for applications. Access provided a direct view into some of the group’s infrastructure.
BitMEX’s analysis revealed a clear difference in skill levels within Lazarus. The report describes teams conducting low-skill social engineering. These teams funnel unsuspecting victims toward downloading harmful software. However, this activity connects to far more complex code exploits. High-skill hackers developed these sophisticated technical attacks.
The BitMEX team interprets this skill gap as evidence of structural change
They believe the North Korean hacking organization has divided into distinct sub-groups. These sub-groups possess different levels of technical ability. They cooperate to defraud users.
This finding follows numerous documented incidents. High-profile hacks, social engineering scams, and infiltrations of blockchain and technology companies have occurred. Authorities attribute these actions to the Lazarus Group and other North Korean agents.
Federal agencies and governments worldwide are escalating their scrutiny. They are actively probing activities linked to DPRK-associated hackers. These entities are raising alarms about common scam methods used by these threat actors.
In September 2024, the United States Federal Bureau of Investigation (FBI) issued a public alert. The warning concerned social engineering scams run by the DPRK-backed Lazarus Group. These scams included phishing attempts. The attempts targeted cryptocurrency users using fake job offers.
Governments joined this warning in January 2025
Japan, the US, and South Korea collectively characterized the hacking activity. They labeled it a direct threat to the international financial system. A recent Bloomberg report suggested world leaders might address the Lazarus threat. Discussion could occur at the next G7 Summit. Strategies to reduce the damage caused by the DPRK-affiliated group would be a key topic.
