BitMEX said it has thwarted an attempted phishing attack by the Lazarus Group, describing the attempt as using “unsophisticated” phishing methods by the notorious North Korea-linked group.

In a blog post published on May 30, the crypto exchange detailed how an employee was approached via LinkedIn under the guise of a Web3 NFT collaboration. 

The attacker tried to lure the target into running a GitHub project containing malicious code on their computer, a tactic the firm says has become a hallmark of Lazarus’ operations.

“The interaction is pretty much known if you are familiar with Lazarus’ tactics,” BitMEX wrote, adding that the security team quickly identified the obfuscated JavaScript payload and traced it to infrastructure previously linked to the group.

A likely failure in operational security also revealed that one of the IP addresses linked to North Korean operations was located in the city of Jiaxing, China, approximately 100 km from Shanghai.

“A common pattern in their major operations is the use of relatively unsophisticated methods, often starting with phishing, to gain a foothold in their target’s systems,” BitMEX wrote.

Examining other attacks, it was noted that North Korea’s hacking efforts were likely divided into multiple subgroups with varying levels of technical sophistication. 

“This can be observed through the many documented examples of bad practices coming from these ‘frontline’ groups that execute social engineering attacks when compared to the more sophisticated post-exploitation techniques applied in some of these known hacks,” it said.

The Lazarus Group is an umbrella term used by cybersecurity firms and Western intelligence agencies to describe several hacker teams operating under the direction of the North Korean regime.

In 2024, Chainalysis attributed $1.34 billion in stolen crypto to North Korean actors, accounting for 61% of all thefts that year across 47 incidents, a record high and a 102% increase over 2023’s total of $660 million stolen.

Still a threat

But as founder and CEO of Nominis, Snir Levi warns, growing knowledge of the Lazarus Group’s tactics doesn’t necessarily make them any less of a threat. 

“The Lazarus Group uses multiple techniques to steal cryptocurrencies,” he told Decrypt. “Based on the complaints we collect from individuals, we can assume that they are trying to defraud people on a daily basis.”

The size of some of their hauls has been shocking. 

In February, hackers drained over $1.4 billion from Bybit, made possible by the group tricking an employee at Safe Wallet into running malicious code on their computer. 

“Even the Bybit hack started with social engineering,” Levi said. 

Other campaigns include Radiant Capital, where a contractor was compromised via a malicious PDF file that installed a backdoor.

The attack methods range from basic phishing and fake job offers to advanced post-access tactics like smart contract tampering and cloud infrastructure manipulation.

The BitMEX disclosure adds to a growing body of evidence documenting Lazarus Group’s multi-layered strategies. It follows another report in May from Kraken, in which the company described an attempt by a North Korean to get hired.

U.S. and international officials have said North Korea uses crypto theft to fund its weapons programs, with some reports estimating it may supply up to half of the regime’s missile development budget.

Edited by Sebastian Sinclair