Bitrefill, the renowned crypto ecommerce platform, revealed that the cyberattack it suffered on March 1, 2026, originating from a compromised employee laptop, was the responsibility of the infamous North Korean Lazarus Group, caused by the draining of active wallets and the exposure of customer purchase data. The attack affected about 18,500 purchase records and led the company to take systems offline and absorb financial losses from its operating capital, according to Bitrefill.
How the breach developed and what was taken
According to Bitrefill’s account, the crypto hacking team obtained legacy credentials from a single employee device and used them to escalate privileges across all internal systems. That access allowed the hacking group to compromise hot wallets and exploit gift card inventory systems. Bitrefill said the attackers accessed approximately 18,500 purchase records, including email addresses, cryptocurrency payment addresses, and IP addresses.
Bitrefill said it stopped systems to contain the intrusion and has since restored most services, including payments and account access. The company promised to cover the losses with its operating capital. It also says it is working with external teams of experts to understand what happened and prevent future attacks.
Bitrefill’s Response
Bitrefill has implemented expanded monitoring, strengthened internal access controls, and refined its incident response protocols. The company hired outside cybersecurity firms, on-chain analysts, and law enforcement officials to conduct a forensic investigation and trace the stolen funds.
They say they managed to link the tactics used (a single-point entry through a compromised device to reach wallets and inventory) to documented patterns associated with the Lazarus Group and Bluenoroff, another Lazarus-associated hacker group, including previous high-value operations such as a $1.5 billion exchange hack and aggregate cryptocurrency thefts linked to the DPRK of around $2.02 billion in 2025.
While the attackers accessed 18,500 purchase records that potentially reveal limited customer information, there is no evidence that they extracted the entire database: they only ran a limited number of queries consistent with a scan to understand what was available to steal. Therefore, Bitrefill believes that the main objective was solely financial and not the theft of customer data.
Finally, the platform assured that it will take care of all losses with its own capital:
“Bitrefill was designed to limit the impact if something like this ever happened. Bitrefill remains well funded, has been profitable for several years and will absorb these losses from our operational capital.”
