BitMEX Thwarts Lazarus Group Phishing Attack Linked to North Korea

Coin WorldMonday, Jun 2, 2025 1:51 am ET
2min read

BitMEX, a prominent cryptocurrency exchange, recently announced that it had successfully thwarted a phishing attempt by the Lazarus Group, a notorious hacking collective linked to North Korea. The exchange described the tactics used in the attack as "unsophisticated," highlighting the group's reliance on basic phishing methods to gain access to target systems.

In a detailed blog post published on May 30, BitMEX revealed that an employee was approached via LinkedIn under the pretense of a Web3 NFT collaboration. The attacker attempted to lure the employee into running a GitHub project containing malicious code on their computer, a tactic that BitMEX noted is characteristic of Lazarus Group operations. The security team at BitMEX quickly identified the obfuscated JavaScript payload and traced it back to infrastructure previously associated with the Lazarus Group.

A notable operational security failure by the attackers also exposed an IP address linked to North Korean operations, which was located in the city of Jiaxing, approximately 100 kilometers from Shanghai. This revelation underscores the group's reliance on relatively unsophisticated methods, often starting with phishing, to gain a foothold in their target’s systems.

BitMEX's analysis of other attacks by the Lazarus Group suggests that North Korea's hacking efforts are likely divided into multiple subgroups with varying levels of technical sophistication. This is evident in the documented examples of poor practices from these "frontline" groups that execute social engineering attacks, compared to the more sophisticated post-exploitation techniques applied in some of the known hacks.

The Lazarus Group is a term used by cybersecurity firms and intelligence agencies to describe several hacker teams operating under the direction of the North Korean regime. The group has been implicated in numerous high-profile cyber heists, including the draining of over $1.4 billion from Bybit in February. This attack was facilitated by the group tricking an employee at Safe Wallet into running malicious code on their computer, highlighting the effectiveness of their social engineering tactics.

Other campaigns by the Lazarus Group include the compromise of a contractor at Radiant Capital via a malicious PDF file that installed a backdoor. The group's attack methods range from basic phishing and fake job offers to advanced post-access tactics like smart contract tampering and cloud infrastructure manipulation. These multi-layered strategies were further documented in a report from Kraken in May, where the company described an attempt by a North Korean hacker to get hired.

U.S. and international officials have stated that North Korea uses crypto theft to fund its weapons programs, with some reports estimating that it may supply up to half of the regime's missile development budget. Despite growing awareness of the Lazarus Group’s tactics, the group remains a significant threat, as noted by Snir Levi, founder and CEO of Nominis. Levi warned that the Lazarus Group uses multiple techniques to steal cryptocurrencies and is likely attempting to defraud individuals on a daily basis.