Hackers Linked to North Korea Suspected of Bitrefill Breach That Released Wallets

Bitrefill said that hackers are preying on hot wallets and exploiting gift card flows after gaining access to stolen data on an employee’s device.

Bitrefill disclosed that it was the target of a cyberattack on March 1, which led to the theft of cryptocurrency, and said that its investigation found many clues linking the incident to the tactics used by the DPRK group associated with Lazarus / Bluenoroff.

The company said similarities in attacker methods, malware, chain tracking patterns, and the reuse of IP and email addresses are consistent with previous activities attributed to the group.

Bitrefill Cyberattack

According to the company, the breach originated from a compromised employee’s laptop, from which a legacy certificate was issued. Those credentials allowed access to a snapshot containing production secrets, which the attackers then used to increase their access to all Bitrefill systems. This gave them access to parts of the database and cryptocurrency wallets.

In its latest tweet, Bitrefill said it first identified the incident after discovering unusual purchase patterns involving certain suppliers, indicating that gift card inventory and supply flows were being misused. At the same time, it noticed that some hot wallets were being released, and funds were being sent to addresses controlled by the attackers. Once the breach was confirmed, the company shut down all systems to contain the situation.

After the incident, Bitrefill confirmed that it was working with external cybersecurity experts, incident response teams, blockchain analysts, and law enforcement.

The company said there was no indication that customer data was the focus of the attack. According to its logs, the attackers used a limited number of database queries associated with the test function to determine what could be extracted. This includes cryptocurrency and gift card inventory. Bitrefill added that it stores minimal personal data and does not require mandatory KYC, or any verification information held by an external provider.

However, it confirmed that approximately 18,500 purchase records were accessed, including email addresses, cryptocurrency payment addresses, and metadata such as IP addresses. In nearly 1,000 cases where customers provided product names, the information was encrypted, but the company considers it likely to have been compromised due to possible disclosure of encryption keys. Those users have been notified.

You may also like:

Bitrefill said it does not currently believe customers need to take any action, but advises caution regarding any unexpected communications related to Bitrefill or cryptocurrency.

The company added that it has strengthened its security measures, including conducting additional cyber security reviews and penetration testing, strengthening internal access controls, improving monitoring and logging programs, and refining incident response procedures. It said the financial losses would be paid from its operating income, and that many services, including fees and assets, had been returned.

Lazarus Havoc

Even though many crypto platforms have strengthened their security frameworks in recent years, malicious actors continue to bypass protections. The Lazarus Group remains the most persistent and dangerous adversary in the industry, responsible for the largest crypto hack on record after stealing $1.4 billion from Bybit in February 2025.

Blockchain researcher ZachXBT previously said that breaches involving platforms such as Bybit, DMM Bitcoin, and WazirX saw stolen funds easily recovered. The on-chain investigator added that defamation groups “seem to have won the battle” in terms of enforcement.