Cryptocurrency payments and gift card platform Bitrefill blamed North Korea-linked hacking group Lazarus for a cyberattack on March 1, 2026 that compromised parts of its infrastructure and cryptocurrency wallets.
The attackers gained access to production keys, transferred funds from hot wallets, and exposed 18,500 purchase records containing emails, payment addresses, and IP addresses.
Approximately 1,000 records included encrypted usernames. Affected users were notified. Operations have resumed and the company has announced that it will cover operating capital losses. The incident underscores the importance of vigilance regarding cryptocurrencies and on-chain security.
The modus operandi included malware, chain tracking, and reused IP and email addresses and was similar to previous attacks attributed to North Korea’s Lazarus Group, also known as Bluenoroff, the company said in a detailed report on X.
The Lazarus Group has previously focused on crypto projects such as Ronin Network, Harmony’s Horizon Bridge, WazirX, and Atomic Wallet.
How the attack developed
It all started with a compromised employee laptop, which exposed legacy credentials and allowed attackers to access Bitrefill’s broader infrastructure, including parts of its database and cryptocurrency wallets.
The breach quickly became apparent when the company noticed unusual purchasing patterns among certain vendors, indicating that attackers were exploiting its gift card inventory and supply chains. The firm also noted that the attackers were draining some active wallets and moving funds to their own addresses, after which the system was taken offline to contain the damage.
“Bitrefill operates a global e-commerce business with dozens of suppliers, thousands of products, and multiple payment methods in many countries. Taking all of these things securely offline and back online is not trivial,” the company said in a statement.
Since the incident, Bitrefill has been working with security researchers, incident response teams, on-chain analysts, and law enforcement authorities to investigate the breach.
Impact of customer data
The hackers accessed a small set of purchase records, approximately 18,500, which contained
Bitrefill said there is no evidence that customer data was the primary target. Their logs indicate that the attackers ran a limited number of queries targeting cryptocurrency holdings and gift card inventory rather than mining the entire database.
The platform stores minimal personal data and does not require mandatory KYC. A small subset of purchase records, approximately 18,500, were accessed, containing information such as email addresses, crypto payment addresses, and metadata including IP addresses. About 1,000 records contained coded names for specific products; The company treats this data as potentially compromised and has notified affected customers directly via email.
Currently, Bitrefill does not believe customers should take any additional action, although it recommends caution regarding unexpected communications related to Bitrefill or cryptocurrencies.
Steps to strengthen security
In response to the breach, Bitrefill said it has already strengthened its cybersecurity practices and is working to draw lessons from the incident.
The company outlined several measures, including conducting comprehensive penetration testing with third-party experts, tightening internal access controls, improving logging and monitoring for faster threat detection, and refining incident response procedures and automated shutdown protocols.
Thinking about the future
Bitrefill acknowledged that this was its first major attack in more than a decade of operation, but emphasized that it remains well-funded and profitable, capable of absorbing operating losses. Most systems including payments, stock and accounts are back online and sales volumes are returning to normal.
“Getting hit by a sophisticated attack sucks (a lot),” the company said. “But we survived. We will continue to do everything possible to continue to deserve the trust of our customers.”
