Cryptocurrency payments and gift card platform Bitrefill accused North Korea-linked hacking group Lazarus of launching a cyberattack on March 1, 2026, that compromised part of its infrastructure and cryptocurrency wallets.
The attackers obtained production keys, transferred funds from hot wallets, and exposed 18,500 purchase records containing emails, payment addresses, and IP addresses.
Approximately 1,000 records contain encrypted usernames. Affected users have been notified. The company has resumed operations and announced it will use working capital to cover losses. The incident highlights the importance of remaining vigilant about cryptocurrencies and on-chain security.
In a detailed report on X, the company said its modus operandi included malware, on-chain tracing and reused IP and email addresses, similar to previous attacks by North Korea’s Lazarus Group, also known as Bluenoroff.
Crypto projects previously targeted by Lazarus Group include Ronin Network, Harmony’s Horizon Bridge, WazirX and Atomic Wallet.
How the attack unfolded
It all started with a compromised employee laptop that exposed legacy credentials and allowed the attackers to access Bitrefill’s wider infrastructure, including parts of its database and cryptocurrency wallets.
The vulnerability quickly became apparent when the company noticed unusual purchasing patterns from certain suppliers, suggesting attackers were exploiting its gift card inventory and supply chain. The company also noted that attackers were draining some hot wallets and transferring funds to their own addresses, with systems subsequently being taken offline to contain the damage.
“Bitrefill operates a global e-commerce business with dozens of suppliers, thousands of products, and multiple payment methods in many countries. Safely shutting all of this down and bringing it back online is no easy task,” the company said in a statement.
Since the incident, Bitrefill has been working with security researchers, incident response teams, on-chain analysts, and law enforcement to investigate the breach.
Customer data impact
The hackers accessed a small set of purchase records, approximately 18,500, which included
Bitrefill said there was no evidence that customer data was the primary target. Its logs indicate that the attackers ran a limited number of queries against cryptocurrency holdings and gift card inventories, rather than extracting the entire database.
The platform stores minimal personal data and does not require mandatory KYC. A small number of purchase records (approximately 18,500) were accessed, which contained information such as email addresses, encrypted payment addresses and metadata including IP addresses. Approximately 1,000 records contain the encrypted names of specific products; the company considers this data to be potentially compromised and has notified affected customers directly via email.
At this time, Bitrefill does not believe customers need to take any additional action, but it advises caution with unexpected communications related to Bitrefill or cryptocurrency.
Enhance security measures
In response to the breach, Bitrefill said it has strengthened its cybersecurity practices and is working to learn from the incident.
The company outlined several measures, including conducting comprehensive penetration testing with external experts, tightening internal access controls, enhancing logging and monitoring to detect threats faster, and refining incident response procedures and automated shutdown protocols.
expect
Bitrefill admitted that this was the first major attack in its more than a decade of operations, but stressed that it was well-funded and profitable, with the ability to absorb operational losses. Most systems, including payments, inventory and accounts, are back online and sales are back to normal.
“Being hit by a sophisticated attack sucks,” the company said. “But we survived. We will continue to do our best and continue to be worthy of our customers’ trust.”
