Cryptocurrency payments and gift card platform Bitrefill has blamed North Korean hacker group Lazarus for a March 1, 2026 cyber attack that compromised parts of its infrastructure and cryptocurrency wallets.
The attackers gained access to production keys, transferred money from hot wallets and exposed 18,500 purchase records containing emails, payment addresses and IP addresses.
Approx. 1,000 entries included encrypted usernames. Affected users were notified. Operations have resumed and the company has announced to cover losses from working capital. The incident underscores the importance of vigilance regarding crypto and on-chain security.
The method included malware, on-chain tracking and reused IP and email addresses and was similar to previous attacks attributed to North Korea’s Lazarus Group, also known as Bluenoroff, the company said in a detailed report on X.
Lazarus Group has previously targeted crypto projects including Ronin Network, Harmony’s Horizon Bridge, WazirX and Atomic Wallet.
How the attack went
It all began with a compromised employee laptop, which exposed legacy credentials and allowed attackers to access Bitrefill’s broader infrastructure, including parts of its database and cryptocurrency wallets.
The breach quickly became apparent when the company noticed unusual purchasing patterns among certain suppliers, signaling that the attackers were exploiting their gift card inventory and supply chains. The firm also noted that the attackers drained some hot wallets and moved money to their own addresses, after which the system was taken offline to limit the damage.
“Bitrefill operates a global e-commerce business with dozens of vendors, thousands of products and multiple payment methods across many countries. It is not trivial to shut all of these things down and bring them back online,” the company said in a statement.
Since the incident, Bitrefill has worked with security researchers, incident response teams, on-chain analysts and law enforcement to investigate the breach.
Customer Data Impact
Hackers gained access to a small set of purchase records, approximately 18,500, containing
Bitrefill said there is no evidence that customer data was a primary target. Its logs indicate that attackers ran a limited number of queries targeting cryptocurrency holdings and gift card holdings, rather than extracting the entire database.
The platform stores minimal personal data and does not require mandatory KYC. A small subset of purchase records, approximately 18,500, were accessed, containing information such as email addresses, crypto payment addresses, and metadata including IP addresses. About 1,000 records contained encrypted names for specific products; the company treats this data as potentially compromised and has notified affected customers directly via email.
At this time, Bitrefill does not believe that customers need to take any further action, although caution is advised regarding unexpected communications related to Bitrefill or cryptocurrency.
Steps to strengthen security
In response to the breach, Bitrefill said it has already strengthened its cybersecurity practices and is working to learn from the incident.
The company outlined several actions, including conducting extensive penetration testing with outside experts, tightening internal access controls, improving logging and monitoring for faster threat detection, and refining incident response procedures and automated shutdown protocols.
Looking forward
Bitrefill acknowledged that this was its first major attack in more than a decade of operations, but stressed that it remains well-funded and profitable, able to absorb operating losses. Most systems, including payments, inventory and accounts, are back online and sales volume is returning to normal.
“Being hit by a sophisticated attack sucks (a lot),” the company said. “But we survived. We will continue to do our best to continue to earn the trust of our customers.”
