BitMEX launched an investigation in May 2025 after a Lazarus Group-affiliated attacker contacted a BitMEX employee on LinkedIn with a fake NFT project, analyzing suspicious activity that may have revealed some of the group's tracking techniques and exposed significant lapses in its operational security.

Quotes that support claims

The BitMEX security team says it investigated the incident, allegedly discovering new insight into the group’s inner workings — including potential IP addresses — and ‘significant lapses in operational security.’

Investigating this Lazarus Group campaign shows a stark contrast between their entry-level phishing strategies and advanced post-exploitation techniques. The accidental exposure of the Supabase database revealed not only their tracking methods but also significant lapses in operational security, such as the leakage of Chinese IP addresses.