BitMEX analyzed a Lazarus Group campaign targeting cryptocurrency-sector personnel through LinkedIn outreach and a private GitHub repository for a supposed NFT marketplace collaboration. The repository contained a Next.js/React project with JavaScript that contacted regioncheck[.]net and fashdefi[.]store:6168, executed returned code, and exposed strings consistent with credential-stealing behavior associated with BeaverTail-style DPRK malware. Deobfuscation showed the first-stage code writing infected host metadata to a misconfigured Supabase database, including username, hostname, OS, IP address, geolocation, and timestamp. That exposed database contained hundreds of infection logs and apparent operator test systems, including VPN-heavy activity and a China Mobile IP address that BitMEX assessed as an operational security mistake. The case highlights a gap between relatively simple Lazarus social engineering for initial access and more capable post-exploitation operations against crypto targets.