Bitrefill Hit by Cyberattack Linked to North Korea's Lazarus Group

Bitrefill discloses March 1 cyberattack

Crypto gift card marketplace Bitrefill publicly disclosed on March 17 that it was hit by a cyberattack on March 1, 2026. Following an internal investigation, the company attributed the breach to BlueNoroff, a subdivision of the North Korean state-sponsored hacking group Lazarus Group.

«March 1st incident report — On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation — including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) — we find many similarities…» — Bitrefill (@bitrefill), original post

Investigators found overlaps with known Lazarus operations across multiple vectors: the malware deployed, operational methods, on-chain transaction trails, and reused IP and email addresses.

Why this matters

Lazarus Group remains one of the most prolific and sophisticated threat actors targeting the cryptocurrency industry. This latest breach illustrates that even well-established platforms with years of operational history remain vulnerable to targeted attacks that exploit individual employees as entry points. The compromise of a staff member's device — a hallmark Lazarus tactic — reinforces the critical importance of endpoint security across the entire crypto ecosystem.

Attack vector: from laptop to hot wallets

The intrusion originated with the compromise of an employee's laptop. The attackers obtained legacy credentials that gave them access to a system snapshot containing production data. From there, they escalated privileges and moved laterally through Bitrefill's infrastructure, eventually reaching databases and cryptocurrency wallets.

The security team detected suspicious gift card operations and unauthorized withdrawals from hot wallets to attacker-controlled addresses. Upon identifying the threat, all systems were immediately shut down to contain the breach.

Scope of the data breach

According to the investigation, the attackers accessed approximately 18,500 purchase records. The compromised data includes:

• Email addresses;
• Cryptocurrency addresses;
• Metadata, including IP addresses.

In roughly 1,000 cases, customers had provided their names when purchasing specific products. While this information was stored in encrypted form, the hackers may have obtained the encryption keys. Bitrefill is treating all affected data as compromised and has already notified impacted users.

Verification data was not affected, as it is held by an external provider and has no backup copies within Bitrefill's systems.

Recovery and strengthened defenses

Bitrefill stated it will cover all financial losses from its own operational capital. The platform's services have been fully restored.

Law enforcement agencies and cybersecurity firms — including Security Alliance and zeroShadow — have been brought in to assist with the ongoing investigation. Bitrefill has since bolstered its security posture with additional monitoring tools and revised incident response procedures.