If you know anything about a crypto hack, you’ve probably heard of the Lazarus Group.
They’re pretty much the final boss of crypto cybercrime – a North Korean state-backed hacking group responsible for some of the biggest thefts in the industry, including the Bybit hack earlier this year.
They’ve always carried this boogeyman of blockchain, mysterious vibe. But a new BitMEX report pulled back the curtain a bit.
And turns out… they’re not as flawless as some might think.
|
Over time, Lazarus seems to have split into smaller teams, and not all of them are equally skilled. Some are pros. Others – not so much.
Case in point: a BitMEX employee got a message on LinkedIn about joining a crypto project.
If you’ve followed Lazarus’ past scams, you know this is something they’ve done before – so the employee flagged it to the security team.
They were sent a GitHub repo with a Next.js/React project that – surprise – contained malware.
The attacker wanted them to run the code locally, which would’ve let malicious scripts execute on the employee’s computer.
|
Now, here’s what BitMEX found in the code:
-
It used JavaScript’s eval() function, which takes a piece of text and treats it like code. So if it says “delete everything,” your computer will actually try to run that command – and that opens the door for attackers to sneak in harmful code;
-
The malware tried to connect to suspicious URLs to download even more code – the kind of infrastructure Lazarus has used before in past attacks;
-
It collected data like usernames, IP addresses, operating systems, and uploaded all of it to… wait for it… a public Supabase database 😀👍
Yes. Public.
This is like using Google Sheets to store stolen data… and then leaving the spreadsheet unlocked.
|
The BitMEX team took a look and found nearly 900 logs from infected machines.
And in one of them, they caught a big oopsie: a hacker forgot to turn on their VPN and exposed their real location in Jiaxing, China.
Instead of treating this oopsie as a one-off discovery, BitMEX saw an opportunity here – they built a tool to keep checking the database.
This lets BitMEX:
-
Track new infections as they happen;
-
Figure out who’s being targeted – devs, exchange workers, or random users;
-
Watch for repeat mistakes by the hackers (like more IP leaks);
-
Potentially map out patterns – like locations, time zones, or organizational targets.
Lazarus is still dangerous – no doubt about it.
But the more we learn about their tricks (and their mistakes), the easier it becomes to protect people from falling for them.
|
Now you’re in the know. But think about your friends – they probably have no idea. I wonder who could fix that… 😃🫵 Spread the word and be the hero you know you are! |
