Crypto e-commerce platform Bitrefill was compromised in a cybersecurity attack on March 1, with tactics pointing to North Korean hacking groups Lazarus or BlueNoroff. The attackers used malware to access an employee’s laptop, draining hot wallet funds and probing 18,500 purchase records. Bitrefill stated it will cover the financial losses and has since restored normal operations while implementing enhanced security measures.
Bitrefill disclosed it fell victim to a cybersecurity attack on March 1. The methods used closely resembled those of the North Korean Lazarus Group, a notorious hacking organization.
The company stated hackers used malware and other techniques to compromise an employee’s laptop. This allowed them to drain funds from company hot wallets and access 18,500 purchase records.
Bitrefill said BlueNoroff Group, another North Korean entity with ties to Lazarus, may have also been involved. The company found no evidence the attackers extracted its entire database.
“There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal,” Bitrefill said. The motive appeared financial, targeting cryptocurrency and gift card inventory.
Bitrefill did not disclose the specific amount stolen but confirmed it would absorb the losses. The company noted that sales volumes and operations have returned to normal.
Lazarus Group remains a formidable threat, responsible for the largest crypto hack in history. That incident involved stealing $1.4 billion from crypto exchange Bybit in February 2025.
Following the attack, Bitrefill contacted law enforcement and worked with several security firms. The company took systems offline initially to contain the breach.
Bitrefill has since implemented significantly improved cybersecurity practices. These include tightened internal controls and improved monitoring for faster threat detection.
