Crypto e-commerce platform Bitrefill stated it was the goal of a cyberattack earlier this month that resulted in stolen funds and restricted publicity of buyer information, with indicators pointing to the North Korean-linked Lazarus Group as a possible perpetrator.
The breach, which started on March 1, originated from a compromised worker laptop computer, in keeping with the corporate’s incident report.
Attackers had been in a position to extract legacy credentials tied to manufacturing methods, permitting them to escalate entry throughout Bitrefill’s infrastructure, together with segments of its inner database and sure cryptocurrency sizzling wallets.
Bitrefill stated the attackers drained an undisclosed quantity of funds from its sizzling wallets whereas additionally exploiting its reward card stock methods to position suspicious purchases with distributors. The corporate didn’t specify the full monetary influence however acknowledged it should take up the losses utilizing operational capital.
The intrusion was first detected by irregular buying patterns and anomalies in provider exercise.
In response, Bitrefill briefly took its methods offline to include the breach throughout its world operations. The corporate stated providers, together with funds and account entry, have since returned to regular ranges.
As a part of the assault, roughly 18,500 buy data had been accessed. The uncovered information consists of e-mail addresses, cryptocurrency cost addresses and metadata similar to IP addresses.
Round 1,000 of these data concerned encrypted buyer names, that are being handled as doubtlessly uncovered because of the chance that attackers accessed encryption keys. Bitrefill stated it has notified affected customers straight.
Regardless of the breach, the corporate emphasised that it shops minimal private information and doesn’t require obligatory know-your-customer verification for many transactions. Any KYC-related data is dealt with by exterior suppliers and isn’t saved inside Bitrefill’s methods. The agency added there is no such thing as a proof that its full database was exfiltrated or that buyer information was the first goal.
“Based mostly on our investigation and logs, we don’t have purpose to assume that buyer information was the target,” the corporate stated, noting that the attackers appeared to conduct restricted queries in keeping with probing for useful belongings similar to cryptocurrency holdings and reward card stock.
North Korea’s Lazarus Group was concerned
Bitrefill cited a number of indicators linking the assault to the Lazarus Group, together with similarities in malware, reused infrastructure similar to IP addresses and e-mail accounts, and on-chain transaction patterns.
The group, typically related to North Korea, has been tied to among the largest crypto thefts in recent times by its specialised subgroup, Bluenoroff.
Cybersecurity companies together with zeroShadow, SEAL911 and RecoverisTeam assisted within the response and investigation, alongside on-chain analysts and legislation enforcement. The corporate stated it’s implementing extra safety measures, together with expanded monitoring methods and inner controls, to forestall related incidents.
The assault highlights ongoing considerations round state-sponsored cyber threats within the digital asset sector.
Based on blockchain analytics agency Chainalysis, teams linked to North Korea had been liable for greater than $2 billion in crypto thefts in 2025, accounting for a big share of complete illicit exercise within the area.
Bitrefill stated operations have stabilized following the incident and expressed confidence in its restoration, noting that buyer exercise and gross sales volumes have returned to typical ranges.