Bitrefill said it was hit by a March 1 cyberattack linked to North Korean hacking groups, resulting in drained company funds and limited user data exposure.
Bitrefill Addresses Attack Linked to North Korea, Confirms Limited Data Exposure
WRITTEN BY
SHARE
Bitrefill Says Security Breach Was Likely Connected to Lazarus Group
The crypto payments and gift card platform disclosed the incident in a detailed report, citing similarities to past operations attributed to the DPRK’s Lazarus and Bluenoroff groups based on malware, infrastructure reuse and onchain tracing.
According to Bitrefill’s statement on Tuesday, the breach began with a compromised employee laptop, allowing attackers to extract a legacy credential tied to production systems. That access enabled escalation into broader infrastructure, including parts of the company’s database and certain cryptocurrency hot wallets.
The company said it detected the intrusion after identifying suspicious purchasing patterns and irregularities in supplier activity. Investigators later confirmed that attackers exploited gift card inventory systems while simultaneously draining funds from hot wallets to addresses under their control.
Bitrefill took its systems offline immediately after confirming the breach, calling the shutdown a necessary step to contain the attack across its global e-commerce operations spanning multiple suppliers, payment rails, and regions.
The firm said approximately 18,500 purchase records were accessed, including limited user data such as email addresses, crypto payment addresses and IP metadata. Around 1,000 records that included customer names—encrypted in the database—are being treated as potentially exposed due to possible access to encryption keys, with affected users notified.
Bitrefill emphasized that it stores minimal personal data and does not require mandatory know-your-customer verification, noting that any identity data is handled by external providers rather than stored internally. The company added there is no evidence its full database was exfiltrated.
The company said it is working with cybersecurity firms, onchain analysts and law enforcement while strengthening internal controls, expanding monitoring systems and conducting additional security audits. Bitrefill said operations have largely returned to normal and that losses will be covered using operational capital.
FAQ 🔎
- What happened in the Bitrefill hack?
Bitrefill suffered a March 1 cyberattack that led to drained funds and limited access to customer purchase records. - Was customer data stolen?
About 18,500 records were accessed, including emails and crypto addresses, but no full database exfiltration was confirmed. - Who is suspected behind the attack?
Bitrefill said indicators suggest links to North Korea’s Lazarus or Bluenoroff hacking groups. - What should users do now?
The company advises staying alert for suspicious messages but says no immediate action is required at this time.
