Cryptocurrency payments and gift card platform Bitrefill has accused North Korea-linked hacking group Lazarus of being responsible for a March 1, 2026, cyberattack that compromised part of its infrastructure and cryptocurrency wallets.
The attackers gained access to production keys, transferred funds from hot wallets, and exposed 18,500 purchase records containing emails, payment addresses, and IP addresses.
Around 1,000 records included encrypted usernames. Affected users have been informed. Operations have resumed, with the company announcing it will cover losses on operating capital. The incident highlights the importance of vigilance regarding cryptocurrency and on-chain security.
The modus operandi included malware, chain tracing and reuse of IP and email addresses and was similar to previous attacks attributed to the North Korean group Lazarus, also known as Bluenoroff, the company said in a detailed report on X.
Lazarus Group has previously targeted crypto projects including Ronin Network, Harmony’s Horizon Bridge, WazirX and Atomic Wallet.
How did the attack take place?
It all started with a compromised employee laptop, which exposed legacy credentials and allowed attackers to access Bitrefill’s broader infrastructure, including parts of its database and cryptocurrency wallets.
The breach quickly became apparent when the company noticed unusual purchasing patterns among some suppliers, indicating that the attackers were exploiting its gift card inventory and supply chains. The company also noted that the attackers emptied some hot wallets and transferred funds to their own addresses, after which the system was taken offline to contain the damage.
“Bitrefill operates a global e-commerce business with dozens of suppliers, thousands of products, and multiple payment methods in numerous countries. Safely turning all of these things off and putting them back online is no trivial matter,” the company said in a statement.
Since the incident, Bitrefill has worked with security researchers, incident response teams, on-chain analysts, and law enforcement to investigate the breach.
Impact on customer data
The hackers accessed a small set of purchasing records, approximately 18,500, containing
Bitrefill said there was no evidence that customer data was a primary target. Its logs indicate that the attackers ran a limited number of queries targeting cryptocurrency holdings and gift card inventory rather than extracting the entire database.
The platform stores minimal personal data and does not require mandatory KYC. A small subset of purchase records, approximately 18,500, were accessed, containing information such as email addresses, encrypted payment addresses, and metadata including IP addresses. Around 1,000 records contained cryptic names for specific products; the company considers this data to be potentially compromised and has informed affected customers directly by email.
At this time, Bitrefill does not believe customers should take any additional steps, although it recommends caution regarding unexpected communications related to Bitrefill or cryptocurrency.
Measures to strengthen security
In response to the breach, Bitrefill said it has already strengthened its cybersecurity practices and is working to learn lessons from the incident.
The company outlined several measures, including conducting comprehensive penetration testing with external experts, strengthening internal access controls, improving logging and monitoring for faster threat detection, and refining incident response procedures and automated shutdown protocols.
Look forward to
Bitrefill acknowledged that this was its first major attack in more than a decade in business, but stressed that it remained well-funded and profitable, capable of absorbing operational losses. Most systems, including payments, inventory and accounts, are back online and sales volumes are returning to normal.
“Being hit by a sophisticated attack sucks,” the company said. “But we survived. We will continue to do our best to continue to earn the trust of our customers.”
