Cryptocurrency exchange BitMEX said it successfully thwarted an attempted phishing attack believed to be orchestrated by the North Korean state-backed hacking collective Lazarus Group notorious for its massive cryptocurrency heists.
BitMEX revealed in a blog post that one of its employees was targeted on LinkedIn by a fake recruiter promoting a job at an NFT project. The attacker attempted to trick the employee into executing malicious code, but the threat was flagged and neutralized before any harm was done.
BitMEX’s internal investigation revealed indicators pointing to Lazarus, including reused malware code and a potentially exposed IP address. The malware, dubbed “BeaverTail,” has previously been linked to Lazarus by cybersecurity firm Palo Alto Networks’ Unit 42.
“It appears the group is splintered into sub-teams with varying technical ability,” BitMEX wrote. The firm’s security team also developed a custom tool to monitor the attacker’s backend systems in real time and identified at least 10 accounts involved in malware development.
The attempted breach comes amid a surge in Lazarus-related incidents across the crypto industry. Just weeks earlier, US-based crypto exchange Kraken revealed it had blocked another North Korean infiltration attempt via a bogus job application for an engineering role. Discrepancies in the candidate's identity and behavior during interviews prompted further investigation, which uncovered links to known North Korean cyber units and a web of fake identities used to penetrate multiple firms.
America’s largest cryptocurrency exchange, Coinbase, meanwhile, is still assessing damages from a separate security incident that may cost the company up to $400 million.
Security experts warn that North Korea is increasingly embedding operatives in blockchain and crypto firms to siphon funds and intelligence. The Lazarus Group alone has been blamed for several major attacks this year, including February’s $1.4 billion Bybit breach and more than $650 million in other exploits.
