A recent cyberattack targeting Bitrefill, a platform allowing users to purchase gift cards with cryptocurrency, has been attributed to the North Korean hacking group Lazarus, also known as Bluenoroff. The breach, which occurred on March 1, 2026, compromised parts of Bitrefill’s infrastructure, drained some cryptocurrency wallets, and exposed the purchase records of approximately 18,500 customers. This incident highlights the growing threat of state-sponsored cyberattacks against the cryptocurrency industry and the importance of robust security measures.
Bitrefill, which facilitates purchases of gift cards for a wide range of retailers in 150 countries, first announced technical issues affecting its website and app on March 1st. The company subsequently disclosed a security incident and took its services offline on March 2nd to investigate. Whereas user balances were unaffected, the restoration of full services has been a gradual process. The company supports over 600 mobile operators and thousands of brands worldwide, making it an attractive target for malicious actors.
The investigation revealed that the attack originated with a compromised employee laptop containing legacy credentials. These credentials provided attackers access to production keys, enabling them to exploit gift card supply chains and transfer funds before Bitrefill could fully shut down its systems. According to Bitrefill’s statement, the tactics, malware, and reused IP and email addresses observed during the investigation bear striking similarities to previous attacks carried out by the Lazarus Group.
“Based on indicators observed during the investigation – including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) – we find many similarities between this attack and past cyberattacks by the DPRK Lazarus / Bluenoroff group against other companies in the crypto industries,” Bitrefill stated.
What Was Compromised?
The breach resulted in the exposure of approximately 18,500 customer purchase records. These records contained email addresses, IP addresses, and cryptocurrency payment addresses. For roughly 1,000 of those purchases, customer names were also exposed. While the information was stored in encrypted form, Bitrefill acknowledged that attackers may have obtained the decryption keys. The company has notified affected users and is working to mitigate any potential risks.
Bitrefill believes the primary motivation behind the attack was the theft of cryptocurrency and gift card inventory, rather than the acquisition of customer data. However, the exposure of personal information still poses a risk to affected individuals, who are advised to exercise caution with incoming communications.
The Lazarus Group and Its History
The Lazarus Group, also known as Bluenoroff or APT38, is a North Korean state-sponsored hacking group that has been active since at least 2014. BleepingComputer reports that the group typically targets financial organizations, with an increasing focus on the cryptocurrency industry. Their objective is primarily crypto theft, and they have been linked to several high-profile attacks, including those targeting the Ronin Network, Harmony’s Horizon Bridge, WazirX, and Atomic Wallet.
Bitrefill’s Response and Future Security Measures
Bitrefill has stated that this was the most serious cyberattack in its ten years of operation. The company is covering the financial losses from operational capital and has emphasized that user balances were not affected. Bitrefill is actively enhancing its security protocols, including expanding security reviews and penetration testing, tightening access controls, improving logging and monitoring, and refining automated shutdown mechanisms.
As of March 19, 2026, most of Bitrefill’s services have been restored to normal operational status. The company advises customers to remain vigilant regarding potential phishing attempts or suspicious communications.
Bitrefill’s experience serves as a stark reminder of the evolving cybersecurity landscape and the persistent threat posed by sophisticated hacking groups. The incident underscores the need for continuous investment in security measures and proactive threat detection within the cryptocurrency ecosystem.
The company will continue to provide updates on its security enhancements and incident response efforts. Customers can find the latest information on Bitrefill’s official X account.
