BitMEX has revealed major security lapses within the infamous North Korean hacking unit, Lazarus Group, after an in-depth investigation exposed critical digital fingerprints left by the group. The BitMEX security team uncovered an active Supabase database used by the hackers and identified tracking tools and IP addresses tied to their operations. Most notably, one hacker allegedly failed to mask their real IP, revealing a physical location in Jiaxing, China—a rare and costly mistake in high-level cybercrime.

The investigation also highlighted a clear divide within the Lazarus operation: low-skilled social engineers trick victims into downloading malware, while a separate, more advanced group crafts sophisticated code exploits. BitMEX believes this points to the group splintering into specialized sub-groups, each playing distinct roles in a coordinated cybercrime campaign.

These findings come as international pressure mounts on the DPRK-backed hacking network. The FBI previously warned in September 2024 about Lazarus-led social engineering schemes, especially fake job offers aimed at stealing crypto assets. In January 2025, Japan, South Korea, and the U.S. jointly labeled the Lazarus Group a financial threat.

Global leaders are expected to address the increasing danger of state-sponsored cybercrime at the upcoming G7 Summit, with Lazarus at the center of those discussions. The BitMEX revelations are now serving as critical evidence of how even the most elusive threat actors can slip up—offering a rare opening for global cybersecurity forces to push back.