Bitrefill has revealed that a cyberattack earlier this month led to the theft of cryptocurrency funds, with evidence pointing to tactics commonly associated with North Korean linked hacking groups.
The company said the attack, which occurred on March 1, showed multiple signs connected to the Lazarus Group, also known as Bluenoroff. These indicators include similarities in malware, operational methods, blockchain tracking patterns, and the reuse of certain IP and email addresses.
Details of the Bitrefill breach
According to Bitrefill, the incident began when an employee’s laptop was compromised, allowing attackers to extract an old login credential. This credential provided access to sensitive system data, which was then used to expand control across internal systems, including parts of the database and several cryptocurrency wallets.
The breach was first detected after unusual purchasing behavior involving suppliers raised concerns about misuse of gift card inventory and supply flows. At the same time, the company noticed funds being drained from hot wallets and sent to addresses controlled by the attackers. Once the issue was confirmed, Bitrefill shut down its systems to contain the attack.
The firm has since been working with cybersecurity specialists, incident response teams, blockchain analysts, and law enforcement agencies to investigate the breach.
Customer data and response measures
Bitrefill stated that customer data was not the primary target. Internal logs showed only limited database queries, suggesting the attackers were probing for valuable assets such as cryptocurrency holdings and gift card inventory.
The platform stores minimal personal information and does not require mandatory identity verification, with any such data handled by a third party provider. However, around 18,500 purchase records were accessed, including email addresses, crypto payment addresses, and technical metadata like IP addresses.
In about 1,000 cases where customer names were provided for certain purchases, the data was encrypted. Still, the company is treating it as potentially exposed due to the possibility that encryption keys were accessed. Affected users have already been notified.
Bitrefill said it does not believe customers need to take immediate action but advised staying alert for suspicious messages related to the platform or cryptocurrency activity.
The company has since strengthened its defenses by improving access controls, enhancing monitoring systems, conducting additional security audits and penetration testing, and refining its incident response processes. It also confirmed that financial losses will be covered using its operational funds, while most services have now been restored.
Ongoing threat from Lazarus Group
Despite improved security across the crypto industry, sophisticated attackers continue to find ways to exploit vulnerabilities. The Lazarus Group remains one of the most active and dangerous threats, having carried out some of the largest crypto related attacks in recent years, including a major theft from Bybit in February 2025.
Blockchain investigator ZachXBT previously noted that hacks involving platforms like Bybit, DMM Bitcoin, and WazirX have seen stolen funds moved and laundered with relative ease, suggesting that enforcement efforts are struggling to keep pace with these operations.#crypto#cryptonews https://coinsignals.net https://t.me/coinsignalpublic
