TLDR:
- Bitrefill’s March 2026 breach was linked to North Korea’s Lazarus Group based on malware and IP patterns.
- Attackers used a stolen legacy credential from an employee laptop to access production infrastructure.
- Around 18,500 purchase records were accessed, exposing emails, crypto addresses, and IP metadata.
- Bitrefill confirmed it remains financially stable, absorbing all losses through its operational capital.
Bitrefill, a global crypto payments platform, disclosed a cyberattack that took place on March 1, 2026. The attack is suspected to involve North Korea’s Lazarus Group, also known as Bluenoroff.
Approximately 18,500 purchase records were accessed, containing email addresses, crypto payment addresses, and IP metadata.
The company went public with the incident after a detailed investigation involving external security experts and law enforcement agencies.
How the Bitrefill Attack Was Carried Out
The breach started on a compromised employee laptop within the company’s network. Attackers extracted a legacy credential from that device without triggering immediate alerts. That credential gave them access to a snapshot holding production secrets.
Using those secrets, the attackers escalated access into Bitrefill’s broader infrastructure. They reached parts of the company’s database and specific cryptocurrency hot wallets. Funds were then moved to attacker-controlled wallets.
The platform detected the breach after noticing suspicious purchasing patterns with certain suppliers. The team found that gift card stock and supply lines were being exploited simultaneously. Several hot wallets were also being drained in real time.
On March 1, Bitrefill’s official account posted a full incident report on social media. The company confirmed taking all systems offline as soon as the breach was detected. Restoring services across dozens of suppliers and payment methods required careful coordination.
Security investigators found strong similarities between this attack and prior DPRK Lazarus Group operations. The malware deployed, on-chain tracing, and reused IP addresses all matched known patterns. The team collaborated with ZeroShadow, SEAL_Org, Recoveris, and other incident response specialists throughout the process.
What Happened to Customer Data and What Bitrefill Is Doing
Customer data was not the primary target in the Bitrefill breach. Logs showed the attackers ran only a limited number of queries during the intrusion. Those queries were focused on probing cryptocurrency and gift card inventory, not personal records.
Around 18,500 purchase records were accessed during the attack. Those records included email addresses, crypto payment addresses, and IP metadata. For roughly 1,000 purchases, names stored in encrypted form may also have been accessed.
Since the attackers potentially obtained the encryption keys, the company treated that name data as compromised. Bitrefill directly notified all affected customers by email. No specific action is currently required from the broader customer base.
As a precaution, Bitrefill advised customers to stay alert to unexpected communications related to the platform. The company stated it will notify affected users if the risk assessment changes. Transparency remained a central part of its public response throughout the ordeal.
The company confirmed it remains financially stable and has been profitable for several years. All losses were covered using operational capital, with no disruption to ongoing services. Sales volumes and payment processing have since returned to normal.
The post Bitrefill Cyberattack Linked to North Korea’s Lazarus Group, Exposes 18,500 Customer Records appeared first on Blockonomi.
Source: https://blockonomi.com/bitrefill-cyberattack-linked-to-north-koreas-lazarus-group-exposes-18500-customer-records/
