Bitrefill reports that Lazarus style exploits the extracted funds and exposes some user data
Bitrefill, an established crypto-to-gift-card platform, suffered a sophisticated cyberattack earlier this month that wiped out the company’s funds and exposed some customer data.
The team revealed the incident in an X article on Tuesday, saying it closely resembles activities linked to the Lazarus Group, a notorious North Korean cybercrime group believed to be responsible for billions of dollars in crypto theft.
According to Bitrefill, the breach occurred on March 1, when attackers gained access to an employee’s device and issued a legacy access certificate.
From there, they used that location to siphon production secrets and penetrate Bitrefill’s infrastructure, gaining access to parts of its data and some crypto wallets.
Bitrefill first got involved after seeing unusual buying activity from suppliers.
The company discovered that gift card inventory and supply chains were being exploited around wallet pipelines. After identifying the breach, Bitrefill took all systems offline as part of its content protocol.
“Being hit by a sophisticated attack worries me (very much). We have been working for more than 10 years, and this is the first time that we have been seriously attacked. But we survived,” the company said in its incident report.
Data display scope
The breach affected 18,500 purchase records, including customer email addresses, crypto payment addresses, and metadata such as IP addresses.
About 1,000 transactions involved products that required customer names. While that information is encrypted, it may have been exposed if attackers had access to the encryption keys. Bitrefill said it has notified affected customers.
The company said customer-held gift cards, store credits, and account balances were not affected. It also noted that it does not require mandatory know-your-customer checks, and any KYC data submitted with higher purchase limits is handled by an external provider, not stored on its systems.
Investigators found numerous signs linking the Lazarus Group attack to its affiliate Bluenoroff, including malware similarities, blockchain tracking patterns, and reused IP and email infrastructure tied to previous crypto breaches.
Bitrefill said it worked with security and law enforcement agencies to respond to the incident.
Bitrefill plans to cover the financial losses caused by the attack using its working capital. The platform has restored many functions, including payments, inventory, and customer accounts, with sales rates returning to pre-incident levels.
The company said it is strengthening its security posture with more penetration testing, tighter access controls, improved logging and monitoring, and updated incident response procedures, including automatic shutdown policies.
