The Lazarus Group hit Bitrefill on March 1, 2026. The North Korean state-linked hacking unit, also tracked as Bluenoroff, used a compromised employee laptop to break into the company’s systems, draining cryptocurrency wallets and tapping into gift card supply lines before the team even knew what was happening.
Bitrefill confirmed the incident in a post on X, linking the attack to Lazarus based on matching malware signatures, on-chain tracing, and reused IP and email addresses tied to prior crypto industry attacks.
How the Attackers Got In
A legacy credential was pulled off the compromised laptop. That single credential opened a snapshot holding production secrets, which gave the attackers a path to escalate access across Bitrefill’s broader infrastructure, including parts of its database and certain hot wallets.
The company’s team first noticed something was off through suspicious purchasing patterns with several suppliers. Gift card stock was being drained. Funds were moving out of hot wallets into attacker-controlled addresses. Once the breach was confirmed, Bitrefill pulled everything offline.
As Bitrefill posted on X, >“We’re back up. Mostly. We expect everything to be back to normal within a couple of days.”
What the Hackers Accessed
Around 18,500 purchase records were reached. Those records held limited customer details, including email addresses, crypto payment addresses, and IP metadata. No full database extraction was found in the logs.
For roughly 1,000 purchases, names were required at checkout. That data sits encrypted in Bitrefill’s database. Because the attackers may have obtained the encryption keys, Bitrefill is treating those names as potentially accessed. Customers in that group were notified directly.
KYC data was not stored internally. When customers opt into identity verification, that information goes to an external KYC provider only, with no internal backup held by Bitrefill.
The Recovery and Who Helped
Bitrefill engaged ZeroShadow, SEAL Org, Recoveris, and fearsoff for incident response support, alongside law enforcement and on-chain analysts. The company cited their rapid coordination as central to understanding the scope of the breach.
In a detailed March 1 incident report posted on X, Bitrefill said the attack shared strong similarities with past Lazarus and Bluenoroff operations targeting other crypto companies, noting the group’s modus operandi, reused infrastructure, and familiar malware patterns.
User gift cards, store credits, and KYC information remained unharmed throughout the incident. Sales volumes returned to normal shortly after the platform came back online. Bitrefill said it will absorb the losses from operational capital, describing itself as profitable and well funded heading into this period.
The company has since tightened internal access controls, expanded logging and monitoring, and has ongoing pentests running with multiple external security firms.
