BitMEX thwarts supposed Lazarus attack, discovers group's IP addresses and 'significant lapses' in security

BitMEX, the once-dominant Bitcoin options trading venue, has reportedly thwarted a social engineering attack by Lazarus Group, the hacking collective with ties to the North Korean government, according to an announcement on Friday.

Not only that, BitMEX was allegedly able to reverse engineer the supposed exploit — potentially revealing new insight into the formidable hacking collective.

Lazarus Group has been a persistent and growing threat in the crypto industry for years. The outfit is thought to be behind some of the most high-profile crypto exploits, including what is likely the largest-ever hack (crypto or otherwise) of Bybit in February.

Phishing attacks, especially those perpetrated by North Korean hackers, are a common enough occurrence in crypto that security experts often share a few tell-tale signs of danger and techniques to avoid being had. (For instance, you can ask your would-be attacker if Supreme Leader Kim Jong Un is married to a dog.)

"Recently, a BitMEX employee was contacted through LinkedIn for a potential ‘NFT Marketplace’ web3 project collaboration," BitMEX wrote in a blog on Friday. "The goal was to make the victim run the project’s code, which includes malicious code, on their computer. After a few minutes of inspection of the repository … we found some very suspicious pieces of code."

According to BitMEX, the firm’s targeted employee was able to quickly identify the potential threat and alerted the BitMEX security team, which began an investigation that may have revealed some of Lazarus’ tracking methods and "significant lapses in operational security."

Notably, "it appears that the group has divided into multiple subgroups that are not necessarily of the same technical sophistication," the team wrote. According to BitMEX, in this instance, the attacker attempted to reuse malicious code called "BeaverTail" previously attributed to the Lazarus Group by Palo Alto’s Unit 42.

Without going into the technical details of how the bug was supposed to run (essentially collect victim passwords/IPs and store them in a database), BitMEX says that a closer look at the script revealed an "operational security mistake" that may have revealed an attacker's "original IP address."

"Once we had this information, we created a simple program that would query this database on a regular basis and log new infections with the goal of understanding the general profile of victims and potentially spotting new mistakes by the operators," the team wrote, noting they appear to have uncovered at least 10 potential "accounts used to test or develop the malware."

"Investigating this Lazarus Group campaign shows a stark contrast between their entry-level phishing strategies and advanced post-exploitation techniques," the team added.

Notably, BitMEX’s discovery comes a few weeks after Coinbase disclosed a significant customer data breach that could cost the exchange upwards of $400 million in damages. That event has rekindled conversations about the potential dangers of know-your-customer requirements and the need for improved, industrywide cyber security.