Cryptocurrency funds and reward card platform Bitrefill has blamed the North Korea-linked hacking group Lazarus for a cyberattack on March 1, 2026, that compromised elements of its infrastructure and cryptocurrency wallets.
The attackers gained entry to manufacturing keys, transferred funds from sizzling wallets, and uncovered 18,500 buy data containing emails, fee addresses, and IP addresses.
Roughly 1,000 data included encrypted usernames. Affected customers have been notified. Operations have resumed, with the corporate asserting to cowl losses from operational capital. The incident underscores the significance of vigilance concerning crypto and on-chain safety.
The modus operandi included malware, on-chain tracing and reused IP and e-mail addresses and was much like earlier assaults attributed to North Korea’s Lazarus Group, often known as Bluenoroff, the corporate mentioned in an in depth report on X.
The Lazarus Group has beforehand focused crypto tasks together with Ronin Community, Concord’s Horizon Bridge, WazirX, and Atomic Pockets.
How the assault unfolded
All of it started with with a compromised worker laptop computer, which uncovered legacy credentials and allowed attackers to entry Bitrefill’s broader infrastructure, together with elements of its database and cryptocurrency wallets.
The breach rapidly turned obvious when the corporate observed uncommon buying patterns amongst sure suppliers, signaling that attackers have been exploiting its reward card stock and provide chains. The agency additionally famous that attackers have been draining some sizzling wallets and shifting funds to their very own addresses, following which, the system was taken offline to include the injury.
“Bitrefill operates a worldwide e-commerce enterprise with dozens of suppliers, 1000’s of merchandise, and a number of fee strategies throughout many international locations. Safely switching all this stuff off and bringing them again on-line just isn’t trivial,” the corporate mentioned in a press release.
For the reason that incident, Bitrefill has been working with safety researchers, incident response groups, on-chain analysts, and regulation enforcement to research the breach.
Buyer information influence
Hackers accessed a small set of buy data, roughly 18,500, containing
Bitrefill mentioned there isn’t any proof that buyer information was a main goal. Its logs point out that attackers ran a restricted variety of queries aimed toward cryptocurrency holdings and reward card stock relatively than extracting your entire database.
The platform shops minimal private information and doesn’t require necessary KYC. A small subset of buy data, roughly 18,500, was accessed, containing info akin to e-mail addresses, crypto fee addresses, and metadata together with IP addresses. About 1,000 data contained encrypted names for particular merchandise; the corporate is treating this information as probably compromised and has notified affected clients instantly by e-mail.
At current, Bitrefill doesn’t consider clients have to take any extra motion, although it advises warning concerning surprising communications associated to Bitrefill or cryptocurrency.
Steps to strengthen safety
In response to the breach, Bitrefill mentioned it has already strengthened its cybersecurity practices and is working to attract classes from the incident.
The corporate outlined a number of measures, together with conducting complete penetration checks with exterior consultants, tightening inside entry controls, enhancing logging and monitoring for sooner risk detection, and refining incident response procedures and automatic shutdown protocols.
Wanting ahead
Bitrefill acknowledged that this was its first main assault in additional than a decade of operation however harassed that it stays well-funded and worthwhile, able to absorbing operational losses. Most methods, together with funds, inventory, and accounts, are again on-line, with gross sales volumes returning to regular.
“Getting hit by a classy assault sucks (quite a bit),” the corporate mentioned. “However we survived. We’ll proceed to do our greatest to proceed deserving our clients’ belief.”
