BitMEX blocked a cyberattack by North Korea’s Lazarus Group on May 30, 2025.
Hackers used a fake NFT partnership scam via LinkedIn to target an employee.
A GitHub repository contained malicious code aimed at compromising systems.
The investigation exposed a hacker’s IP in Jiaxing, China, due to an error.
Lazarus Group’s activity dropped between 5 p.m. and 10 p.m. Pyongyang time.
BitMEX, a cryptocurrency exchange, stopped a cyberattack attempt by North Korea’s Lazarus Group on May 30, 2025. The hackers targeted an employee through a LinkedIn message, offering a fake NFT partnership. The exchange’s security team identified the scam and traced the malicious tactics.
The attack began when a BitMEX employee received a LinkedIn proposal for a Web3 NFT collaboration. The message directed the employee to a private GitHub repository containing a Next.js/React project. Hidden within the code was a malicious payload designed to compromise the employee’s system.
BitMEX’s security team intervened after the employee reported the suspicious offer. They examined the GitHub repository and found obfuscated JavaScript code meant to steal data. The team described the method as a common tactic used by the Lazarus Group, known for state-sponsored cybercrime.
Lazarus Group’s Tactics Exposed
The investigation revealed the hackers’ infrastructure, including a Supabase database used to log infections. The database contained 37 entries with details such as usernames, hostnames, operating systems, IP addresses, and timestamps. BitMEX noted that some devices appeared multiple times, likely used for testing malware.
One hacker, identified as “Victor,” usually connected through Touch VPN. Another, “GHOST72,” used Astrill VPN. A significant error occurred when Victor’s real IP address, 223.104.144.97, was exposed. The residential IP traced back to Jiaxing, China, under China Mobile, indicating a major operational security failure.
BitMEX developed a tool to monitor the Supabase database continuously. Since May 14, the tool has logged 856 entries, identifying 174 unique username-hostname combinations. The exchange observed that Lazarus Group’s activity dropped between 8 a.m. and 1 p.m. UTC, corresponding to 5 p.m. to 10 p.m. in Pyongyang, suggesting a structured work schedule.
The security team also found reused code from the “BeaverTail” malware, previously linked to Lazarus Group by Palo Alto Networks’ Unit 42. BitMEX stated that the initial phishing attempt was basic, but the post-exploitation script showed advanced skills, indicating a division within the group.
North Korea’s Cybercrime History
Lazarus Group, tied to North Korea’s government, has a history of targeting cryptocurrency platforms. In February 2025, the group stole $1.5 billion from Bybit, marking the largest crypto heist on record, according to the FBI. The hackers tricked a Safe Wallet employee into running malicious code, gaining access to Bybit’s systems.
Since 2017, North Korea-linked hackers have stolen over $6 billion in cryptocurrency, as reported by blockchain firm Elliptic. These funds are believed to support the regime’s ballistic missile program. In 2024, Chainalysis attributed $1.34 billion in crypto thefts to North Korean actors across 47 incidents.
BitMEX emphasized the group’s split structure. Less skilled teams handle phishing, while advanced units execute complex intrusions. The exchange’s findings align with reports from other platforms, such as Kraken, which in May 2025 thwarted a North Korean hacking attempt disguised as a job application.
The U.S., Japan, and South Korea have issued warnings about North Korea’s cyber operations. The FBI has labeled Lazarus Group a significant threat to financial stability. For more on North Korea’s cyber activities, visit the FBI’s Cyber Most Wanted list.
