Lazarus Group Vulnerabilities Revealed: How Hacker Mistakes and Security Measures Help Counter North Korean Group Cyberattacks

The BitMEX cryptocurrency exchange security team has conducted a large-scale investigation that has uncovered serious vulnerabilities in the operational security of Lazarus Group , a hacker organization sponsored by the North Korean (DPRK) government and known for its international cybercrime operations 1 3 4 .

Key Facts of the BitMEX Investigation

• Hacker’s Real IP Address Revealed
  One of the Lazarus Group members mistakenly failed to use a VPN to mask his IP address, allowing BitMEX to determine his actual location, Jiaxing, China . This was key to uncovering the group’s infrastructure 1 2 3 4 .
• Access to Supabase Database
  BitMEX was able to gain access to a database instance on the Supabase platform , which is used to quickly deploy databases with user-friendly interfaces for applications. This database was used by the hackers to organize and manage their operations 2 3 4 .
• Asymmetry in the level of qualification of participants
  The analysis showed that Lazarus Group is divided into subgroups with different levels of professionalism:
  • Low-skilled social engineering teams are engaged in tricking victims into downloading malware.
  • High-tech hackers develop complex exploits and codes to carry out attacks.
    This structure allows for effective coordination of attacks and deception of users, which indicates a complex internal organization of the group 2 3 4 .

Methods and tactics of Lazarus Group

• Hackers use social engineering, including phishing attacks and tricking professional networks like LinkedIn into offering NFT and Web3 partnerships. One attacker tried to trick a BitMEX employee into launching a malicious project from GitHub 1 6 10 .
• Lazarus Group actively uses infected packages on popular developer platforms such as GitHub to distribute malicious code that steals crypto wallet keys and other sensitive information 5 .
• In 2025, the group attempted to attack crypto entrepreneurs via Zoom and other digital channels, demonstrating the continued refinement of tactics and expansion of attack vectors 1 .

International reaction and the significance of the threat

• Federal law enforcement agencies and governments in the United States, Japan, South Korea and other countries are actively investigating the Lazarus Group, warning of fraud risks and threats to financial systems 2 3 .
• In September 2024, the FBI issued an official warning about scams linked to a North Korean-backed group, including phishing and fake job offers for cryptocurrency users 2 .
• In early 2025, the governments of Japan, the United States, and South Korea acknowledged the threat posed by the Lazarus Group and outlined the need for coordinated countermeasures 2 .
• According to a Bloomberg report, world leaders may discuss the threat of Lazarus Group at the G7 summit and develop strategies to mitigate the damage caused by the organization’s activities 3 .

What specific operational security vulnerabilities did the BitMEX team discover at Lazarus Group?

A BitMEX investigation has found “amateur-level miscalculations” in Lazarus Group’s operational security, despite the high technology and scale of their operations. This has allowed them to obtain critical data such as IP addresses, databases, and tracking algorithms, significantly weakening the hackers’ position and increasing their chances of being identified and stopped in the future 1 3 4 .

This information highlights the importance of ongoing cybersecurity monitoring and countermeasures, particularly against state-affiliated groups targeting financial and technology companies around the world. BitMEX has demonstrated an example of an effective counter-operation that could serve as a model for other organizations to combat cyber threats of this magnitude.

The security team of cryptocurrency exchange BitMEX has identified several key vulnerabilities in the operational security of the North Korean-sponsored hacker group Lazarus Group . The main ones include:

• One of the hackers’ real IP address revealed
  One of the group members mistakenly did not use a VPN to mask his IP, which allowed his real location to be determined to be Jiaxing, China. This indicates a low level of discipline and control over operational security within the Lazarus Group.
• Exploiting a vulnerable Supabase database
  BitMEX gained access to a database instance on the Supabase platform that the attackers used to store and manage information. This suggests that the Lazarus Group infrastructure was insufficiently protected and allowed external intrusions.
• Asymmetry in the skill level of the participants
  The group is divided into low-skilled social engineering teams that distribute malware by deceiving victims and high-tech specialists who create complex exploits. This structure indicates the absence of a unified, well-coordinated security system and coordination.
• Social engineering tactics using communications vulnerabilities
  Hackers tried to trick company employees into running malicious code, for example, through GitHub projects, which indicates insufficient internal security when working with external sources.

Thus, the main vulnerabilities of the Lazarus Group are operational security flaws , manifested in insufficient control over IP masking, the use of insufficiently protected databases and weak coordination between different divisions of the group, which allowed BitMEX to carry out a successful counter-operation and expose important details of the attackers’ infrastructure 1 2 3 .

How Accidental IP Address Disclosure Impacted Identification of Hacker’s Location in Jiaxing

The accidental disclosure of the Lazarus Group hacker’s IP address played a key role in identifying him and pinpointing his location in Jiaxing, China . Hackers typically use VPNs or proxy servers to mask their real IP address, making it extremely difficult or impossible to track their physical location. In this case, one of the hackers did not use such means, and his real IP address was revealed to BitMEX researchers 1 .

An IP address is a unique network “address” of a device on the Internet, which is assigned to users by ISPs and registered in special databases (for example, ARIN). From this data, it is possible to determine the approximate geographic location of the device associated with this IP 2 . Since the IP address was “clean”, without the use of anonymizing services, BitMEX was able to accurately localize the hacker in Jiaxing.

Thus, a mistake in operational security – failure to use a VPN – allowed the real location of the attacker to be revealed , which significantly complicates his further anonymity and increases the chances of successful prosecution by law enforcement and cybersecurity specialists.

How access to the Supabase database helps us understand the structure and methods of Lazarus Group

The BitMEX team’s access to the Supabase database has provided unique insight into the internal structure and methods of operation of Lazarus Group in several key areas:

• Organizational Structure and Role Allocation Analysis
  Supabase is a modern cloud platform with a PostgreSQL relational database that supports authentication, file storage, and real-time data synchronization 1 2 . By gaining access to the database, researchers were able to see how attackers organize their data, distribute tasks between subgroups, and manage social engineering and technical attacks.
• Identifying the management tools and techniques used
  The Supabase platform allows databases to be created on the fly with simple interfaces for applications, making it easy for hackers to quickly deploy and modify the infrastructure without complex API layers 7 . This highlights Lazarus Group’s flexible and dynamic approach to operations, helping them quickly adapt to changing conditions.
• Understanding Authentication and Access Control Mechanisms
  Supabase supports a variety of authentication methods and Row-Level Security policies, allowing granular control over access to data 3 5 . BitMEX researchers were able to examine how effectively or weakly these mechanisms were implemented in the Lazarus infrastructure, identifying potential vulnerabilities and security flaws.
• Tracking Interactions Between Teams
  With the ability to synchronize data in real time and keep logs, the database revealed how different Lazarus subgroups—from low-skilled social engineering operators to high-tech exploit developers—coordinate their actions, share information, and manage hacking campaigns.

Thus, access to the Supabase database was not just a technical breakthrough for BitMEX, but a key to understanding the structure, roles, and methods of operation of the Lazarus Group , which allows it to more effectively counter their attacks and develop countermeasures in the field of cybersecurity.

Why Low-Skilled Social Engineers Are Important to North Korean Hackers

Low-skilled social engineers play a vital role in the activities of North Korean hackers , particularly the Lazarus Group, for the following reasons:

• Initial Penetration
  Social engineers work by tricking and manipulating victims into performing actions that allow attackers to gain access to systems. This could include downloading malware, clicking on phishing links, or disclosing sensitive information. Although their technical skills are low, their work is critical to the successful launch of an attack.
• Using psychological techniques
  Social engineering is based on creating a sense of urgency, trust or fear so that the victim does not have time to think about the situation and make the decision needed by the attackers. This allows bypassing technical security barriers without complex programming.
• Massive and scalable attacks
  Low-skilled operators can send out phishing emails in bulk, call potential victims, or create fake social media profiles, which significantly expands their reach and increases the chances of a successful compromise.
• Relieving High-Tech Specialists
  By offloading social engineers from the routine tasks of deceiving users, highly skilled hackers can focus on developing complex exploits and technical attacks, increasing the overall effectiveness of the group.

Thus, low-skilled social engineers are an integral part of the Lazarus Group’s multi-layered strategy , providing initial access and preparing the ground for more sophisticated technical attacks, making their activities essential to the successful operations of North Korean hackers 2 4 .

What measures can governments take to prevent Lazarus Group attacks and their consequences?

To effectively prevent attacks by Lazarus Group and minimize their consequences, governments can take a range of measures, including technical, organizational and international initiatives:

• Raise awareness and train staff
  Train employees of public and private organizations to recognize phishing attacks and social engineering to reduce the risk of initial penetration by attackers. This is a key step, as Lazarus actively uses social engineering to launch malware 2 .
• Implementation of multi-level protection and monitoring systems
  Using modern cybersecurity tools with elements of machine learning and behavioral analysis helps to detect even previously unknown attacks at early stages, preventing the spread of malware within the infrastructure 2 6 .
• Developing and enforcing cybersecurity standards for critical infrastructure
  Strengthening the protection of industrial, financial, and technology facilities, including mandatory security patching, network segmentation, and regular audits, reduces vulnerability to sophisticated Lazarus attacks that target defense and financial sectors 3 6 .
• International Cooperation and Intelligence Sharing
  Coordination between countries, sharing information on Lazarus Group tactics, tools and indicators of compromise allows for timely detection and neutralization of threats. Already, the governments of the United States, Japan, South Korea and other countries are jointly warning of risks and developing joint strategies 3 4 .
• Legal action and sanctions
  Increased sanctions pressure on organizations and individuals associated with the Lazarus Group, as well as international criminal prosecution of hackers, are hindering their activities and limiting their resources.
• Investment in cybersecurity research and development
  Continued funding for the development of new defense technologies, including artificial intelligence and automated response systems, helps keep pace with evolving attack methods and reduce the damage they cause 5 .
• Preventive measures at the level of cryptocurrency and financial platforms
  Since Lazarus is actively attacking crypto exchanges and financial institutions, it is important to implement strict security protocols, multi-factor authentication, and monitoring for suspicious transactions.

Taken together, these measures form a multi-layered and proactive strategy that can effectively counter threats from Lazarus Group, reduce the risks of successful attacks, and minimize their potential damage to national and global security.

What measures can reduce the effectiveness of Lazarus Group phishing attacks

To reduce the effectiveness of phishing attacks such as those carried out by Lazarus Group, a set of measures covering technical and organizational aspects is recommended:

• Training and awareness of employees
  Regular training on recognizing phishing messages, especially those disguised as collaboration or job offers (for example, through LinkedIn), helps reduce the likelihood that a victim will click on a malicious link or run a malicious file 1 .
• Using multi-factor authentication (MFA)
  MFA makes it much more difficult for attackers to access accounts, even if they have obtained passwords through phishing.
• Technical means of filtering and protecting mail
  Implementation of email security gateways (Mail gateway), which scan incoming emails and attachments for malicious code and phishing links, as well as the use of sandbox systems to analyze suspicious files in an isolated environment 5 .
• Network Traffic Analysis and Behavioral Monitoring
  Network Traffic Analysis (NTA) and Endpoint Detection and Response (EDR) systems help identify anomalous activity associated with phishing attacks and block malicious actions before they cause damage 5 .
• Regular software updates
  Operating system, browser, and antivirus updates eliminate vulnerabilities that can be used in phishing attacks 4 .
• Blocking access to malicious resources
  Restricting access to known phishing sites and resources using firewalls and DNS filters reduces the risk of clicking on malicious links 6 .
• Information security policies and incident response
  Developing clear rules for working with email, instant messengers and external sources, as well as plans for responding to phishing attacks helps organizations quickly localize and eliminate threats 5 .
• Using Machine Learning and Artificial Intelligence
  Modern solutions use machine learning algorithms to identify new and complex phishing schemes that traditional tools may miss 5 10 .

The use of these measures in combination significantly reduces the likelihood of successful phishing attacks by Lazarus Group and other cybercriminal organizations, minimizing the risks of compromising users and corporate systems.

1. https://coinedition.com/ru/%D1%81%D0%B2%D1%8F%D0%B7%D0%B0%D0%BD%D0%BD%D0%B0%D1%8F-%D1%81-%D1%81%D0%B5%D0%B2%D0%B5%D1%80%D0%BD%D0%BE%D0%B9-%D0%BA%D0%BE%D1%80%D0%B5%D0%B5%D0%B9-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%B0-lazarus-%D0%B0/
2. https://ib-bank.ru/bisjournal/news/12537
3. https://ics-cert.kaspersky.ru/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/
4. https://ya.ru/neurum/c/drugoe/q/kakie_suschestvuyut_sposoby_zaschity_ot_fishingovyh_0893c042
5. https://ptsecurity.com/ru-ru/research/analytics/malware-behavior-and-distribution-channels/
6. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%A4%D0%B8%D1%88%D0%B8%D0%BD%D0%B3_%D0%B2_%D0%A0%D0%BE%D1%81%D1%81%D0%B8%D0%B8
7. https://www.itsec.ru/news/lazarus-ispolzuyet-legitimniye-instrumenti-bezopasnosti-dlia-atak-na-nenazvanuyu-kompaniyu
8. https://cryptobread.net/articles/review/lazarus-group/
9. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%98%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%BD%D0%B0%D1%8F_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C_%D0%B2_%D0%B1%D0%B0%D0%BD%D0%BA%D0%B0%D1%85
10. https://cisoclub.ru/jeffektivnye-strategii-zashhity-jelektronnoj-pochty-ot-sovremennyh-fishingovyh-atak/

1. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:APT_-_%D0%A2%D0%B0%D1%80%D0%B3%D0%B5%D1%82%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%BD%D1%8B%D0%B5_%D0%B8%D0%BB%D0%B8_%D1%86%D0%B5%D0%BB%D0%B5%D0%B2%D1%8B%D0%B5_%D0%B0%D1%82%D0%B0%D0%BA%D0%B8
2. https://www.kaspersky.ru/blog/the-lazarus-group/15032/
3. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%9A%D0%B8%D0%B1%D0%B5%D1%80%D0%BF%D1%80%D0%B5%D1%81%D1%82%D1%83%D0%BF%D0 %BD%D0%BE%D1%81%D1%82%D1%8C_%D0%B8_%D0%BA%D0%B8%D0%B1%D0%B5%D1%80%D0%BA%D 0%BE%D0%BD%D1%84%D0%BB%D0%B8%D0%BA%D1%82%D1%8B_:_%D0%9A%D0%9D%D0%94%D0%A0
4. https://docs.un.org/ru/S/PV.9662
5. https://www.gate.com/ru/learn/articles/who-is-the-lazarus-group-the-hackers-behind-billion-dollar-heists/7503
6. https://ics-cert.kaspersky.ru/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/
7. https://securelist.ru/lazarus-threatneedle/100591/
8. https://ru.investing.com/news/cryptocurrency-news/article-2696853
9. https://ptsecurity.com/ru-ru/research/analytics/cybersecurity-threatscape-2023-q2/
10. https://republic.ru/posts/83455

1. https://www.polpred.com/news/?person_id=7244§or=15&page=12
2. https://cyberleninka.ru/article/n/sotsialnaya-inzheneriya-kak-aspekt-informatsionnoy-bezopasnosti
3. https://jou.rfixe.com/forum/viewtopic.php?p=263106&sid=d0788216e2f65834ae7ae520dd35746f
4. https://www.reg.ru/blog/chto-takoe-sotsialnaya-inzheneriya/

1. https://nuancesprog.ru/p/19272/
2. https://habr.com/ru/companies/timeweb/articles/648761/
3. https://habr.com/ru/companies/timeweb/articles/660183/
4. https://www.reddit.com/r/Supabase/comments/1g9wwz6/what_is_the_safest_way_to_use_supabase_database/?tl=en
5. https://dev.to/bogdannovotarskij/professionalnaia-realizatsiia-avtorizatsii-v-vieb-prilozhienii-s-pomoshchiu-supabase-ot-boghdana-novotarskogho-20k6
6. https://forklog.com/glavnoe-za-mesyats-vyzovy-dlya-bitkoina-aktualnaya-kiberbezopasnost-i-militarizatsiya-ii
7. https://cryptobrokers.ru/razrabotchiki-bitmex-vyyavlyayut-podrobnosti-o-xakerkax-lazarus-group-posle-dostupa-k-svoej-baze-dannyx/amp/

1. https://monolith.law/ru/internet/disclosure-of-ipaddress
2. https://www.reddit.com/r/explainlikeimfive/comments/4hwgsp/eli5_why_is_ip_tracing_so_inaccurate/?tl=en

1. https://ru.tradingview.com/news/forklog:6ca7cad9867b8:0/
2. https://www.block-chain24.com/news/novosti-bezopasnosti/bitmex-obnaruzhivaet-breshi-v-operacionnoy-bezopasnosti-lazarus-group
3. https://tradepulse.ru/news/bitmex-raskryvaet-uyazvimosti-v-operaczionnoj-bezopasnosti-gruppy-lazarus/
4. https://forklog.com/news/okx-priostanovila-rabotu-agregatora-dex-iz-za-aktivnosti-hakerov
5. https://istorka.ru/2022/08/04/solana-svjazala-masshtabnyj-vzlom-s-provajderom-koshelkov-slope/
6. https://istorka.ru/2022/03/21/chto-takoe-symbiosis-finance/
7. https://forklog.com/glavnoe-za-mesyats-vyzovy-dlya-bitkoina-aktualnaya-kiberbezopasnost-i-militarizatsiya-ii

1. https://forklog.com/news/v-bitmex-raskryli-uyazvimosti-operatsionnoj-bezopasnosti-lazarus-group
2. https://crypto.ru/issledovateli-bitmex-nashli/
3. https://www.block-chain24.com/news/novosti-bezopasnosti/bitmex-obnaruzhivaet-breshi-v-operacionnoy-bezopasnosti-lazarus-group
4. https://hashtelegraph.com/bitmex-investigators-exposed-ip-addresses-and-database-of-hacker-group-lazarus/
5. https://forklog.com/news/hakery-lazarus-razvernuli-novuyu-ataku-cherez-github
6. https://financefeeds.com/ru/Bitmex-%D1%81%D1%82%D0%B0%D0%BB-%D0%BC%D0%B8%D1%88%D0%B5%D0%BD%D1%8C%D1%8E-%D0%BC%D0%BE%D1%88%D0%B5%D0%BD%D0%BD%D0%B8%D1%87%D0%B5%D1%81%D1%82%D0%B2%D0%B0-%D0%B2-LinkedIn—%D1%81 %D0%B2%D1%8F%D0%B7%D0%B0%D0%BD%D0%BD%D0%BE%D0%B3%D0%BE-%D1%81-%D1%81%D0%B5%D0%B2%D0%B5%D1%80%D0%BE%D0% BA%D0%BE%D1%80%D0%B5%D0%B9%D1%81%D0%BA%D0%BE%D0%B9-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%BE%D0%B9-Lazarus/
7. https://x.com/ForkLog/status/1929561493982290243
8. https://www.cryptopolitan.com/ru/bitmex-thwarts-lazarus-groups-hack-attempt/
9. https://hashtelegraph.com/tag/lazarus/
10. https://coinedition.com/ru/%D1%81%D0%B2%D1%8F%D0%B7%D0%B0%D0%BD%D0%BD%D0%B0%D1%8F-%D1%81-%D1%81%D0%B5%D0%B2%D0%B5%D1%80%D0%BD%D0%BE%D0%B9-%D0%BA%D0%BE%D1%80%D0%B5%D0%B5%D0%B9-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%B0-lazarus-%D0%B0/