Cryptocurrency services company Bitrefill disclosed it was targeted in a significant cyberattack on March 1, resulting in stolen funds. The company’s investigation found multiple indicators linking the incident to the DPRK-associated Lazarus/Bluenoroff hacker group. Attackers gained access via stolen credentials from an employee’s laptop, exploiting gift card supply flows and draining hot wallets. Bitrefill stated customer data was not the primary focus, though approximately 18,500 purchase records were accessed.
The breach at Bitrefill began with a stolen credential from an employee’s compromised laptop, granting access to production secrets. This allowed the attackers to expand across systems, reaching parts of the database and certain cryptocurrency wallets.
The company stated it identified the attack after detecting unusual purchasing patterns indicating misuse of its gift card inventory. Simultaneously, it observed hot wallets being drained, with funds sent to attacker-controlled addresses.
Bitrefill confirmed working with external cybersecurity experts, incident response teams, and law enforcement. It said there is no indication that customer data was the main focus of the intrusion.
Approximately 18,500 purchase records were accessed, containing email addresses and cryptocurrency payment addresses. For about 1,000 cases where customers provided names, the encrypted data is being treated as potentially exposed.
The company said similarities in the attackers’ methods, malware, and on-chain patterns are consistent with previous operations by Lazarus. The group is considered a persistent sector adversary, responsible for other major breaches.
Bitrefill has since strengthened its security measures, including tighter access controls and improved monitoring. It stated financial losses will be covered from operational capital, with most services now restored.
