BitMEX said it has thwarted an attempted phishing attack by the Lazarus Group, describing the attempt as using "unsophisticated" phishing methods by the notorious North Korea-linked group.
In a blog post published on May 30, the crypto exchange detailed how an employee was approached via LinkedIn under the guise of a Web3 NFT collaboration.
The attacker tried to lure the target into running a GitHub project containing malicious code on their computer, a tactic the firm says has become a hallmark of Lazarus' operations.
"The interaction is pretty much known if you are familiar with Lazarus' tactics," BitMEX wrote, adding that the security team quickly identified the obfuscated JavaScript payload and traced it to infrastructure previously linked to the group.
Lazarus Infects New Batch of JavaScript Packages With Crypto Stealing Malware: Researchers
In a new attack, North Korea's Lazarus group has been linked to six fresh malicious npm packages. Discovered by The Socket Research Team, the latest attack tries to deploy backdoors to steal credentials. Lazarus is the infamous North Korean hacker group that's been linked to the recent $1.4 billion Bybit hack, $41 million hack of crypto casino Stake, and a $27 million hack of crypto exchange CoinEx, and countless others in the crypto industry. The group was also initially linked to the $235 mil...
A likely failure in operational security also revealed that one of the IP addresses linked to North Korean operations was located in the city of Jiaxing, China, approximately 100 km from Shanghai.
"A common pattern in their major operations is the use of relatively unsophisticated methods, often starting with phishing, to gain a foothold in their target’s systems," BitMEX wrote.
Examining other attacks, it was noted that North Korea's hacking efforts were likely divided into multiple subgroups with varying levels of technical sophistication.
"This can be observed through the many documented examples of bad practices coming from these 'frontline' groups that execute social engineering attacks when compared to the more sophisticated post-exploitation techniques applied in some of these known hacks," it said.
The Lazarus Group is an umbrella term used by cybersecurity firms and Western intelligence agencies to describe several hacker teams operating under the direction of the North Korean regime.
In 2024, Chainalysis attributed $1.34 billion in stolen crypto to North Korean actors, accounting for 61% of all thefts that year across 47 incidents, a record high and a 102% increase over 2023's total of $660 million stolen.
There's More to North Korea's Hacking Ops Than Just Lazarus Group: Paradigm
In February, North Korean hackers broke headlines with what is now regarded as the largest single hack in crypto history. The Lazarus Group stole at least $1.4 billion from Bybit and later funneled those funds to crypto mixers. "Someone had pulled off the biggest hack in [crypto] history, and we had a front-row seat," Samczsun, Research Partner at Paradigm, recalled in a blog post. The researcher said they witnessed the theft in real-time and collaborated with Bybit to confirm the unauthorized a...
Still a threat
But as founder and CEO of Nominis, Snir Levi warns, growing knowledge of the Lazarus Group’s tactics doesn’t necessarily make them any less of a threat.
“The Lazarus Group uses multiple techniques to steal cryptocurrencies,” he told Decrypt. “Based on the complaints we collect from individuals, we can assume that they are trying to defraud people on a daily basis.”
The size of some of their hauls has been shocking.
In February, hackers drained over $1.4 billion from Bybit, made possible by the group tricking an employee at Safe Wallet into running malicious code on their computer.
“Even the Bybit hack started with social engineering,” Levi said.
North Korea's Lazarus Group Behind Bybit's $1.4 Billion Ethereum Hack: Arkham
Blockchain data platform Arkham Intelligence says that the North Korean state-sponsored Lazarus hacking group is responsible for swiping over $1.4 billion worth of Ethereum (ETH) and related tokens from crypto exchange Bybit on Friday. The connection to Lazarus was made via on-chain data that linked activity to previous attacks tied to Lazarus, a group that has been tied to numerous other industry hacks and exploits. The connection was made by pseudonymous on-chain sleuth ZachXBT, who has helped...
Other campaigns include Radiant Capital, where a contractor was compromised via a malicious PDF file that installed a backdoor.
The attack methods range from basic phishing and fake job offers to advanced post-access tactics like smart contract tampering and cloud infrastructure manipulation.
The BitMEX disclosure adds to a growing body of evidence documenting Lazarus Group’s multi-layered strategies. It follows another report in May from Kraken, in which the company described an attempt by a North Korean to get hired.
U.S. and international officials have said North Korea uses crypto theft to fund its weapons programs, with some reports estimating it may supply up to half of the regime's missile development budget.
Edited by Sebastian Sinclair
