Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Bitrefill blames Lazarus hacker group, associated with North Korea, for breaching 18,500 transaction records.
Bitrefill will absorb the losses from operational capital.
Bitrefill attributes the March 1 breach to a hacker group associated with North Korea. (geralt/Pixabay)
Key points:
- Bitrefill reported that a cyberattack on March 1, 2026, linked to North Korea’s Lazarus Group affected parts of its infrastructure, depleted some hot wallets, and revealed around 18,500 purchase records.
- The incident started with a compromised employee laptop that disclosed legacy credentials, enabling attackers to access production keys, exploit gift card supply chains, and transfer funds before the firm took systems offline.
- Bitrefill will absorb the losses from operational capital.
Cryptocurrency payment and gift card platform Bitrefill has held the North Korea-associated hacking group Lazarus accountable for a cyberattack on March 1, 2026, which compromised segments of its infrastructure and cryptocurrency wallets.
The intruders accessed production keys, moved funds from hot wallets, and disclosed 18,500 purchase records that included emails, payment addresses, and IP addresses.
About 1,000 records contained encrypted usernames. Affected users have been notified. Operations have resumed, with the company declaring it will cover losses from operational capital. This incident highlights the necessity for vigilance concerning crypto and on-chain security.
The attack involved malware, on-chain tracing, and reused IP and email addresses, resembling earlier assaults attributed to North Korea’s Lazarus Group, also recognized as Bluenoroff, the company stated in a detailed report on X.
The Lazarus Group has a history of targeting cryptocurrency projects such as Ronin Network, Harmony’s Horizon Bridge, WazirX, and Atomic Wallet.
Details of the attack
The incident initiated with a compromised employee laptop, which revealed legacy credentials and permitted attackers to access Bitrefill’s broader infrastructure, including sections of its database and cryptocurrency wallets.
The breach quickly became evident when the firm detected unusual purchasing activity among specific suppliers, indicating that attackers were exploiting its gift card inventory and supply chains. The company also observed that some hot wallets were being drained and funds were transferred to the attackers’ addresses, prompting the system to be taken offline to mitigate damage.
Related Posts
“Bitrefill conducts a global e-commerce operation with numerous suppliers, thousands of products, and various payment methods across multiple countries. Safely shutting all of these operations down and bringing them back online is not simple,” the company stated in a release.
Since the incident, Bitrefill has been collaborating with security researchers, incident response teams, on-chain analysts, and law enforcement to probe the breach.
Impact on customer data
The attackers accessed a limited number of purchase records, approximately 18,500, containing
Bitrefill indicated there is no indication that customer data was a primary target. Logs show that the attackers executed a restricted number of queries focused on cryptocurrency holdings and gift card inventory rather than extracting the entire database.
The platform retains minimal personal data and does not necessitate mandatory KYC. A small set of purchase records, around 18,500, was accessed containing details such as email addresses, cryptocurrency payment addresses, and metadata including IP addresses. Roughly 1,000 records included encrypted names for specific products; the company is treating this data as potentially compromised and has directly informed affected customers via email.
Currently, Bitrefill does not believe customers should take any further action, although it recommends caution regarding unexpected communications related to Bitrefill or cryptocurrency.
Measures to enhance security
In response to the breach, Bitrefill stated it has already fortified its cybersecurity protocols and is working to learn from the incident.
The company detailed several actions, including conducting extensive penetration tests with external experts, tightening internal access controls, improving logging and monitoring for quicker threat detection, and refining incident response procedures and automated shutdown protocols.
Future outlook
Bitrefill acknowledged that this was its first significant attack in over a decade of operation but emphasized that it remains well-capitalized and profitable, capable of absorbing operational losses. Most systems, including payments, stock, and accounts, are back online, with sales volumes returning to normal.
“Experiencing a sophisticated attack is challenging,” the company noted. “However, we persevered. We will continue striving to maintain our customers’ trust.”
