Crypto e-commerce platform Bitrefill mentioned it was the goal of a cyberattack earlier this month that resulted in stolen funds and restricted publicity of buyer information, with indicators pointing to the North Korean-linked Lazarus Group as a possible perpetrator.
The breach, which started on March 1, originated from a compromised worker laptop computer, in line with the corporate’s incident report.
Attackers had been capable of extract legacy credentials tied to manufacturing methods, permitting them to escalate entry throughout Bitrefill’s infrastructure, together with segments of its inner database and sure cryptocurrency sizzling wallets.
Bitrefill mentioned the attackers drained an undisclosed quantity of funds from its sizzling wallets whereas additionally exploiting its present card stock methods to put suspicious purchases with distributors. The corporate didn’t specify the entire monetary affect however acknowledged it is going to take in the losses utilizing operational capital.
The intrusion was first detected via irregular buying patterns and anomalies in provider exercise.
In response, Bitrefill briefly took its methods offline to include the breach throughout its international operations. The corporate mentioned companies, together with funds and account entry, have since returned to regular ranges.
As a part of the assault, roughly 18,500 buy data had been accessed. The uncovered information contains e mail addresses, cryptocurrency fee addresses and metadata corresponding to IP addresses.
Round 1,000 of these data concerned encrypted buyer names, that are being handled as doubtlessly uncovered as a result of risk that attackers accessed encryption keys. Bitrefill mentioned it has notified affected customers immediately.
Regardless of the breach, the corporate emphasised that it shops minimal private information and doesn’t require necessary know-your-customer verification for many transactions. Any KYC-related info is dealt with by exterior suppliers and isn’t saved inside Bitrefill’s methods. The agency added there isn’t any proof that its full database was exfiltrated or that buyer information was the first goal.
“Based mostly on our investigation and logs, we don’t have cause to assume that buyer information was the target,” the corporate mentioned, noting that the attackers appeared to conduct restricted queries in step with probing for useful property corresponding to cryptocurrency holdings and present card stock.
North Korea’s Lazarus Group was concerned
Bitrefill cited a number of indicators linking the assault to the Lazarus Group, together with similarities in malware, reused infrastructure corresponding to IP addresses and e mail accounts, and on-chain transaction patterns.
The group, usually related to North Korea, has been tied to among the largest crypto thefts lately via its specialised subgroup, Bluenoroff.
Cybersecurity corporations together with zeroShadow, SEAL911 and RecoverisTeam assisted within the response and investigation, alongside on-chain analysts and regulation enforcement. The corporate mentioned it’s implementing extra safety measures, together with expanded monitoring methods and inner controls, to stop related incidents.
The assault highlights ongoing considerations round state-sponsored cyber threats within the digital asset sector.
In line with blockchain analytics agency Chainalysis, teams linked to North Korea had been chargeable for greater than $2 billion in crypto thefts in 2025, accounting for a major share of whole illicit exercise within the area.
Bitrefill mentioned operations have stabilized following the incident and expressed confidence in its restoration, noting that buyer exercise and gross sales volumes have returned to typical ranges.
