rewrite this title Lazarus hacker forgets VPN, gets exposed

If you know anything about a crypto hack, you’ve probably heard of the Lazarus Group.

They’re pretty much the final boss of crypto cybercrime – a North Korean state-backed hacking group responsible for some of the biggest thefts in the industry, including the Bybit hack earlier this year.

They’ve always carried this boogeyman of blockchain, mysterious vibe. But a new BitMEX report pulled back the curtain a bit.

And turns out… they’re not as flawless as some might think.

Over time, Lazarus seems to have split into smaller teams, and not all of them are equally skilled. Some are pros. Others – not so much.

Case in point: a BitMEX employee got a message on LinkedIn about joining a crypto project.

If you’ve followed Lazarus’ past scams, you know this is something they’ve done before – so the employee flagged it to the security team.

They were sent a GitHub repo with a Next.js/React project that – surprise – contained malware.

The attacker wanted them to run the code locally, which would’ve let malicious scripts execute on the employee’s computer.

Now, here’s what BitMEX found in the code:

It used JavaScript’s eval() function, which takes a piece of text and treats it like code. So if it says “delete everything,” your computer will actually try to run that command – and that opens the door for attackers to sneak in harmful code;

The malware tried to connect to suspicious URLs to download even more code – the kind of infrastructure Lazarus has used before in past attacks;

It collected data like usernames, IP addresses, operating systems, and uploaded all of it to… wait for it… a public Supabase database 😀👍

Yes. Public.

This is like using Google Sheets to store stolen data… and then leaving the spreadsheet unlocked.

The BitMEX team took a look and found nearly 900 logs from infected machines.

And in one of them, they caught a big oopsie: a hacker forgot to turn on their VPN and exposed their real location in Jiaxing, China.

Instead of treating this oopsie as a one-off discovery, BitMEX saw an opportunity here – they built a tool to keep checking the database.

This lets BitMEX:

Track new infections as they happen;

Figure out who’s being targeted – devs, exchange workers, or random users;

Watch for repeat mistakes by the hackers (like more IP leaks);

Potentially map out patterns – like locations, time zones, or organizational targets.

Lazarus is still dangerous – no doubt about it.

But the more we learn about their tricks (and their mistakes), the easier it becomes to protect people from falling for them.

Now you’re in the know. But think about your friends – they probably have no idea. I wonder who could fix that… 😃🫵

Spread the word and be the hero you know you are!