Threat actor analysis and intelligence

Data block

Collection item

BitMEX uncovered a potential operational error by the Lazarus Group while analyzing a malicious GitHub repository and an exposed Supabase database, identifying an IP address linked to a residential internet connection in China that may reveal an attacker’s real location.
BitMEX’s investigation into a May 2025 phishing attempt where a Lazarus Group attacker posed as a Web3 collaborator and shared a malicious NFT project uncovered a misconfigured Supabase database used to track infected devices, revealing over 850 entries and suggesting a structured work schedule aligned with Pyongyang time.
A Lazarus Group-affiliated attacker targeted BitMEX in May 2025 by posing as a Web3 collaborator on LinkedIn and reused a malware component known as BeaverTail, a credential-stealing script previously attributed to the group by Palo Alto Networks’ Unit 42.
The Lazarus Group operates through multiple subgroups that vary significantly in technical skill and execution quality.

Data source type

Collection data source

Filter

{"where":{"AND":[{"attribute":"Jfmby78N4BCseZinBmdVov","is":"KeG9eTM8NUYFMAjnsvF4Dg"}]}}