Crypto gift card and e-commerce platform Bitrefill has published a detailed post-mortem disclosing a cyberattack that began on March 1, 2026, exposing approximately 18,500 purchase records and draining several company hot wallets.
In X post from its official account, the company attributed the attack to the Lazarus Group, a state-sponsored hacking collective linked to North Korea, or its financial crime subgroup Bluenoroff.
What Was Exposed
The compromised records contained a limited range of customer data including email addresses, cryptocurrency payment addresses, and metadata such as IP addresses. Around 1,000 of the affected records also included customer names. While that data was stored in encrypted form, Bitrefill is treating it as potentially compromised on the basis that the attackers may have obtained access to the relevant encryption keys during the intrusion.
March 1st incident report
On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation – including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) – we find many similarities…
— Bitrefill (@bitrefill) March 17, 2026
Bitrefill was explicit that no mandatory KYC data was taken. The company does not store that information on its internal systems, instead managing it through an external provider that was not affected by the breach. For the majority of affected users, the exposure is limited to transactional metadata rather than identity documents or financial verification records.
How the Attack Unfolded
The intrusion began with a compromised employee laptop. From that initial access point, the attackers extracted what Bitrefill described as a legacy credential, an older set of access keys that had not been fully decommissioned. Using those credentials, the attackers accessed a system snapshot containing production secrets, which gave them the foothold needed to move through Bitrefill’s broader infrastructure and reach its database systems.
Once inside, the attackers drained several company hot wallets and placed suspicious orders through Bitrefill’s gift card suppliers, suggesting a deliberate attempt to convert stolen access into liquid value through the platform’s own supply chain.
Bitrefill linked the attack to Lazarus Group based on specific indicators of compromise identified during the forensic investigation. These included the malware used in the intrusion, the reuse of IP addresses and email addresses previously associated with North Korean hacking operations, and on-chain tracing of the stolen funds to wallets connected to prior Lazarus activity.
Response and Recovery
Bitrefill took its systems offline shortly after detecting the breach and kept them down for over two weeks while it contained the threat and assessed the full scope of the damage. The company confirmed on March 17 that almost all services, including payments, user accounts, and product stock, had been restored to normal operation.
The company stated it will fully absorb all financial losses from its own operational capital. User balances were not affected by the breach and remain intact.
Bitrefill is currently working with cybersecurity firms zeroShadow and SEAL911 to implement tighter internal access controls and enhanced monitoring across its infrastructure. The company identified the legacy credential and the unrotated system snapshot as the two critical failure points that allowed the attack to escalate from a single compromised device to full infrastructure access.
Broader Context
The Lazarus Group has been one of the most active and destructive threat actors in the crypto space for several years. The group has been linked to billions of dollars in stolen cryptocurrency across dozens of incidents, with proceeds reportedly used to fund North Korea’s weapons programs. Targeting a mid-sized crypto commerce platform rather than a major exchange reflects a broader pattern in which the group pursues a high volume of smaller targets alongside its more prominent attacks.
For Bitrefill users, the immediate risk from this specific breach is relatively contained given the absence of KYC data. The more significant takeaway is how a single unmanaged credential on a compromised laptop was sufficient to give sophisticated state-level attackers a path through an entire company’s infrastructure.
