BitMEX’s investigation into a May 2025 phishing attempt where a Lazarus Group attacker posed as a Web3 collaborator and shared a malicious NFT project uncovered a misconfigured Supabase database used to track infected devices, revealing over 850 entries and suggesting a structured work schedule aligned with Pyongyang time.

Quotes that support claims

So far, this amounts to 856 entries with 174 unique user/hostname combinations...we identified a consistent period of downtime for the operators from ~8am to ~1pm UTC (5pm to 10pm Pyongyang time), which suggests that they do have a structured schedule or consistent ‘working hours’.

This initial part of the file was new to us: it connects to a Supabase instance and writes metadata (username, hostname, os, ip, geolocation, time) about the computer that has been infected.