7 hours ago
Bitrefill will cover the losses from operational capital.
Mar 18, 2026, 7:17 a.m.
Cryptocurrency payments and gift card platform Bitrefill has blamed the North Korea-linked hacking group Lazarus for a cyberattack on March 1, 2026, that compromised parts of its infrastructure and cryptocurrency wallets.
The attackers gained access to production keys, transferred funds from hot wallets, and exposed 18,500 purchase records containing emails, payment addresses, and IP addresses.
Approximately 1,000 records included encrypted usernames. Affected users have been notified. Operations have resumed, with the company announcing it will cover losses from operational capital. This incident highlights the critical importance of vigilance in crypto and on-chain security.
The attack involved malware, on-chain tracing, and reused IP and email addresses, resembling previous attacks attributed to North Korea’s Lazarus Group, also known as Bluenoroff, according to a detailed report shared by Bitrefill on X.
The Lazarus Group has previously targeted crypto projects such as Ronin Network, Harmony’s Horizon Bridge, WazirX, and Atomic Wallet.
How the Attack Unfolded
The breach began with a compromised employee laptop, which exposed legacy credentials and allowed attackers to access Bitrefill’s broader infrastructure, including parts of its database and cryptocurrency wallets.
The breach became evident when the company noticed unusual purchasing patterns among certain suppliers, indicating attackers were exploiting its gift card inventory and supply chains. Additionally, attackers drained some hot wallets and transferred funds to their own addresses. In response, the system was taken offline to contain the damage.
“Bitrefill operates a global e-commerce business with dozens of suppliers, thousands of products, and multiple payment methods across many countries. Safely switching all these systems off and bringing them back online is not trivial,” the company stated.
Since the incident, Bitrefill has been collaborating with security researchers, incident response teams, on-chain analysts, and law enforcement to investigate the breach.
Customer Data Impact
Hackers accessed a limited set of approximately 18,500 purchase records containing email addresses, crypto payment addresses, and metadata such as IP addresses.
Bitrefill emphasized there is no evidence that customer data was the primary target. Logs indicate attackers ran a limited number of queries focused on cryptocurrency holdings and gift card inventory rather than extracting the entire database.
The platform stores minimal personal data and does not require mandatory KYC. About 1,000 records contained encrypted names for specific products; the company is treating this data as potentially compromised and has directly notified affected customers via email.
Currently, Bitrefill does not believe customers need to take additional action but advises caution regarding unexpected communications related to Bitrefill or cryptocurrency.
Steps to Strengthen Security
In response to the breach, Bitrefill has already enhanced its cybersecurity measures and is learning from the incident.
Measures include conducting comprehensive penetration tests with external experts, tightening internal access controls, improving logging and monitoring for faster threat detection, and refining incident response procedures and automated shutdown protocols.
Looking Forward
Bitrefill acknowledged this as its first major attack in over a decade of operation but stressed that it remains well-funded and profitable, able to absorb operational losses. Most systems, including payments, stock, and accounts, are back online, with sales volumes returning to normal.
“Getting hit by a sophisticated attack sucks (a lot),” the company said. “But we survived. We will continue to do our best to deserve our customers’ trust.”
