Bitrefill, a prominent crypto e-commerce platform, has disclosed a significant cyberattack that began on March 1, raising concerns about state-sponsored threats in the digital asset space.
The attack, which Bitrefill believes was carried out by the North Korean-linked Lazarus Group, resulted in the theft of an undisclosed amount of funds and the exposure of customer data. The breach originated from a compromised employee laptop, allowing attackers to escalate access across Bitrefill’s infrastructure, including its internal database and cryptocurrency hot wallets.
According to Bitrefill’s incident report, the attackers exploited legacy credentials to gain unauthorized access to production systems. They then drained funds from hot wallets and exploited gift card inventory systems to place suspicious purchases with vendors. The company did not specify the total financial impact but stated it will absorb the losses using operational capital.
Immediate Response and Recovery
The intrusion was first detected through irregular purchasing patterns and anomalies in supplier activity. In response, Bitrefill temporarily took its systems offline to contain the breach across its global operations. Services, including payments and account access, have since returned to normal levels.
Customer Data Exposure
As part of the attack, approximately 18,500 purchase records were accessed. The exposed data includes email addresses, cryptocurrency payment addresses, and metadata such as IP addresses. Around 1,000 of those records involved encrypted customer names, which are being treated as potentially exposed due to the possibility that attackers accessed encryption keys.
Despite the breach, Bitrefill emphasized that it stores minimal personal data and does not require mandatory know-your-customer (KYC) verification for most transactions. Any KYC-related information is handled by external providers and is not stored within Bitrefill’s systems. The firm added there is no evidence that its full database was exfiltrated or that customer data was the primary target.
Links to the Lazarus Group
Bitrefill cited several indicators linking the attack to the Lazarus Group, including similarities in malware, reused infrastructure such as IP addresses and email accounts, and on-chain transaction patterns. The Lazarus Group, often associated with North Korea, has been tied to some of the largest crypto thefts in recent years through its specialized subgroup, Bluenoroff.
Cybersecurity firms including zeroShadow, SEAL911, and RecoverisTeam assisted in the response and investigation, alongside on-chain analysts and law enforcement. The company said it is implementing additional security measures, including expanded monitoring systems and internal controls, to prevent similar incidents.
Broader Implications
The attack highlights ongoing concerns around state-sponsored cyber threats in the digital asset sector. According to blockchain analytics firm Chainalysis, groups linked to North Korea were responsible for more than $2 billion in crypto thefts in 2025, accounting for a significant share of total illicit activity in the space.
Bitrefill said operations have stabilized following the incident and expressed confidence in its recovery, noting that customer activity and sales volumes have returned to typical levels. This incident underscores the need for heightened security measures and continued vigilance in the rapidly evolving cryptocurrency landscape.
About the Author
