Crypto e-commerce and gift card service provider Bitrefill revealed earlier this month that it fell victim to a cyberattack, allegedly orchestrated by North Korea’s state-sponsored hacking collective, the Lazarus Group. The company reported that attackers gained access to around 18,500 purchase records, potentially exposing limited customer information and siphoning funds from some of its “hot wallets.”
Employee System Compromise and Attack Methodology
According to Bitrefill, the breach was executed via an employee’s laptop, following a modus operandi similar to previous Lazarus Group attacks. The company stated, “Indicators observed during the investigation—including attack methodology, malware used, on-chain tracing, and reused IP and email addresses—show many similarities between this attack and prior incidents by the Lazarus/Bluenoroff subgroup targeting the crypto industry.”
FutureCrime Summit 2026 Calls for Speakers From Government, Industry and Academia
Customer Data Exposure and Wallet Breach
During the incident, hackers drained funds from several of Bitrefill’s wallets and executed suspicious transactions with the company’s vendors. The total financial impact of the attack remains unclear. The breach, which reportedly began on March 1, also compromised parts of the company’s database and certain cryptocurrency wallets. Approximately 1,000 of the records carried a higher risk of exposing encrypted customer names, and the affected individuals were notified by the company.
Lazarus Group’s Growing Role in Crypto Attacks
Cybersecurity analysts warn that North Korea remains one of the most significant threats to the crypto sector. Chainalysis estimated that in 2025, DPRK-linked groups and individuals stole $2.02 billion in cryptocurrency, including the $1.5 billion hack of the Bybit exchange attributed to Lazarus.
Response Measures and Industry Implications
Bitrefill clarified that customer data was not the primary target of the attack. Most purchases on the platform do not require mandatory KYC; where KYC is necessary, the information is stored exclusively with external KYC providers. The company said it would absorb losses from its operational capital and worked closely with cybersecurity firms zeroShadow, SEAL911, and RecoverisTeam to respond to the incident.
Bitrefill reassured customers that “almost all systems are back to normal: payments, inventory, and accounts. Sales volumes have returned to normal levels, and we remain eternally grateful for our customers’ continued confidence.”
Experts note that the breach exposes vulnerabilities in employee access and internal security within the crypto industry. Renowned cybercrime expert and former IPS officer Prof. Triveni Singh said,
“Unauthorized access to company systems and data poses a serious threat to the integrity of financial systems and customer security. Swift and effective response is critical in such cases.”
A Renewed Warning for the Crypto Ecosystem
The incident highlights the critical importance of continuous monitoring and robust security protocols to protect customer data in the crypto sector. Experts suggest that companies must invest in employee training, internal oversight, and regular system audits to mitigate potential risks.
Overall, the Bitrefill cyberattack serves as a warning for crypto platforms and their users. It not only demonstrates the growing sophistication and activity of hacking groups but also underscores the necessity for companies to prioritize security measures, data protection, and rapid incident response.
