BitMEX uncovered a potential operational error by the Lazarus Group while analyzing a malicious GitHub repository and an exposed Supabase database, identifying an IP address linked to a residential internet connection in China that may reveal an attacker’s real location.

Quotes that support claims

BitMEX says that a closer look at the script revealed an ‘operational security mistake’ that may have revealed an attacker's ‘original IP address.’

By looking at the logs for ‘Victor’, we found an entry that stands out: the IP address and location do not match the previously observed Touch VPN exit nodes, but rather a residential China Mobile IP address (223.104.144.97) located in Jiaxing, China. We believe that this was an operational security mistake, which ended up leaking the attacker’s original IP address.