BitMEX, a renowned crypto exchange, has recently published an in-depth article on its blog, shedding light on the notorious exploits of North Korea’s Lazarus Group associated with recent attacks on its platform. The Lazarus Group is infamous for its persistent targeting of the cryptocurrency sector, employing a wide range of deceptive techniques to defraud innocent crypto investors.
The group has set its sights on various exchanges, including Phemex and Bybit, and they even attempted to deceive a BitMEX staff member by proposing a bogus project as a disguise for a phishing attempt to implant harmful software on the staff member’s device. However, BitMEX is now retaliating by delving into the malevolent code deployed by the hacker group.
BitMEX has unearthed serious loopholes that exchanges can leverage to safeguard their assets. This includes revealing the group’s tracking databases and originating IP addresses, which allows BitMEX to monitor its functioning hours and single out key players crucial to the group’s operations.
The BitMEX team has distinguished different levels for the hackers, ranging from novice hackers performing phishing tasks to experts assigned to conduct post-exploitation procedures. The BitMEX blog post proposes various real-time security breach detection measures, including an internal monitoring system for identifying infections.
BitMEX’s sudden interest in cybersecurity stems from a Lazarus Group member reaching out to a BitMEX employee on LinkedIn with a proposition to participate in a counterfeit NFT project. This audacious phishing attempt prompted BitMEX to probe deeper into the matter, which resulted in a chance to analyze live Lazarus code.
BitMEX researchers uncovered a Lazarus Supabase, which contained data related to the malware, such as username, hostname, operating system, geolocation, timestamp, and IP address. With this data, BitMEX identified various devices as either a developer or test machine based on their operational frequency.
While most of the developers utilized VPNs to conceal their location, one developer made an error revealing the actual IP address of the machine, which is located in Jiaxing, China. BitMEX considers this a significant lapse that could potentially unveil the hacker’s identity.
BitMEX has now developed a script to automatically analyze the Supabase and search for operational errors. After all, even hackers are prone to mistakes, which can prove to be their downfall. BitMEX’s astute analysis of Lazarus Group’s operations will continue to enhance their cybersecurity measures and protect their platform.
