Bitrefill disclosed that it was targeted in a cyberattack on March 1, which resulted in the theft of cryptocurrency funds, and said its investigation found multiple indicators linking the incident to tactics used by the DPRK-associated Lazarus/Bluenoroff group.
The company stated that similarities in the attackers’ methods, malware, on-chain tracing patterns, and the reuse of IP and email addresses are consistent with previous operations attributed to the group.
Bitrefill Cyberattack
According to the company, the breach originated from a compromised employee’s laptop, where a legacy credential was extracted. That credential allowed access to a snapshot containing production secrets, which the attackers then used to expand their access across Bitrefill’s systems. This enabled them to reach parts of the database and certain cryptocurrency wallets.
In its latest tweet, Bitrefill said it first identified the incident after detecting unusual purchasing patterns involving some suppliers, which indicated that its gift card inventory and supply flows were being misused. At the same time, it observed that some hot wallets were being drained, and funds were sent to addresses controlled by the attackers. Once the breach was confirmed, the company shut down all systems to contain the situation.
Following the incident, Bitrefill confirmed that it has been working with external cybersecurity experts, incident response teams, blockchain analysts, and law enforcement.
The company said there is no indication that customer data was the main focus of the attack. According to its logs, the attackers ran a limited number of database queries consistent with probing activity to identify what could be extracted. This included cryptocurrency and gift card inventory. Bitrefill added that it stores minimal personal data and does not require mandatory KYC, with any verification information held by an external provider.
However, it confirmed that about 18,500 purchase records were accessed, including email addresses, cryptocurrency payment addresses, and metadata such as IP addresses. In roughly 1,000 cases where customers had provided names for specific products, the information was encrypted, but the company is treating it as potentially accessed due to possible exposure of encryption keys. Those users have been notified.
Bitrefill said it does not currently believe customers need to take specific action, but advised vigilance regarding any unexpected communications related to Bitrefill or cryptocurrency.
The company added that it has strengthened its security measures, including conducting further external cybersecurity reviews and penetration testing, tightening internal access controls, improving monitoring and logging systems, and refining incident response procedures. It said the financial losses will be covered from its operational capital, and that most services, including payments and inventory, have been restored.
Lazarus Havoc
Even as many crypto platforms have ramped up their security frameworks in recent years, threat actors continue to bypass protections. The Lazarus Group remains the sector’s most persistent and dangerous adversary, responsible for the largest crypto hack on record after stealing $1.4 billion from Bybit in February 2025.
Blockchain investigator ZachXBT previously said that breaches involving platforms such as Bybit, DMM Bitcoin, and WazirX saw stolen funds laundered with ease. The on-chain investigator had added that the laundering groups have “seemingly won the battle” over enforcement.
The post North Korea-Linked Hackers Suspected in Bitrefill Breach That Drained Wallets appeared first on CryptoPotato.
