Cryptocurrency gift card service Bitrefill disclosed details of a March 1 cyberattack it attributes to North Korean hacking groups. The breach began with a compromised employee laptop and led to partial database and wallet access. Approximately 18,500 purchase records were exposed, but the firm stated no full database exfiltration occurred. Most operations are restored, and losses will be covered by the company’s operational capital.
Bitrefill, a platform for spending crypto on gift cards, was targeted in a cyberattack on March 1, 2026. The company stated the incident began with a compromised employee laptop before escalating.
Attackers exfiltrated a legacy credential to access broader infrastructure, including parts of its database and certain cryptocurrency wallets. Bitrefill took all systems offline after detecting suspicious supplier purchasing patterns. Its investigation found indicators similar to prior attacks by North Korean groups Lazarus and Bluenoroff.
Approximately 18,500 purchase records were partially accessed, containing fields like email and crypto payment addresses. For about 1,000 purchases requiring names, encrypted fields are considered potentially accessed because relevant keys may have been obtained.
The company said it directly notified users in that affected subset. Bitrefill initially disclosed a “technical issue” before confirming a security breach. It does not believe most customers need to take specific action but advises caution regarding unexpected communications.
Most company operations have now been restored, including payments and accounts. Bitrefill stated the financial losses from the incident will be absorbed through its operational capital.
North Korean hacking groups have been linked to several major crypto heists in recent years. These include last year’s $1.4 billion Bybit exchange hack and the 2022 $622 million breach of the Ronin network tied to Axie Infinity.
