Crypto e-commerce platform Bitrefill said it was the target of a cyberattack earlier this month that resulted in stolen funds and limited exposure of customer data, with indicators pointing to the North Korean-linked Lazarus Group as a likely perpetrator.
The breach, which began on March 1, originated from a compromised employee laptop, according to the company’s incident report.
Attackers were able to extract legacy credentials tied to production systems, allowing them to escalate access across Bitrefill’s infrastructure, including segments of its internal database and certain cryptocurrency hot wallets.
Bitrefill said the attackers drained an undisclosed amount of funds from its hot wallets while also exploiting its gift card inventory systems to place suspicious purchases with vendors. The company did not specify the total financial impact but stated it will absorb the losses using operational capital.
The intrusion was first detected through irregular purchasing patterns and anomalies in supplier activity.
In response, Bitrefill temporarily took its systems offline to contain the breach across its global operations. The company said services, including payments and account access, have since returned to normal levels.
As part of the attack, approximately 18,500 purchase records were accessed. The exposed data includes email addresses, cryptocurrency payment addresses and metadata such as IP addresses.
Around 1,000 of those records involved encrypted customer names, which are being treated as potentially exposed due to the possibility that attackers accessed encryption keys. Bitrefill said it has notified affected users directly.
Despite the breach, the company emphasized that it stores minimal personal data and does not require mandatory know-your-customer verification for most transactions. Any KYC-related information is handled by external providers and is not stored within Bitrefill’s systems. The firm added there is no evidence that its full database was exfiltrated or that customer data was the primary target.
“Based on our investigation and logs, we don’t have reason to think that customer data was the objective,” the company said, noting that the attackers appeared to conduct limited queries consistent with probing for valuable assets such as cryptocurrency holdings and gift card inventory.
North Korea’s Lazarus Group was involved
Bitrefill cited several indicators linking the attack to the Lazarus Group, including similarities in malware, reused infrastructure such as IP addresses and email accounts, and on-chain transaction patterns.
The group, often associated with North Korea, has been tied to some of the largest crypto thefts in recent years through its specialized subgroup, Bluenoroff.
Cybersecurity firms including zeroShadow, SEAL911 and RecoverisTeam assisted in the response and investigation, alongside on-chain analysts and law enforcement. The company said it is implementing additional security measures, including expanded monitoring systems and internal controls, to prevent similar incidents.
The attack highlights ongoing concerns around state-sponsored cyber threats in the digital asset sector.
According to blockchain analytics firm Chainalysis, groups linked to North Korea were responsible for more than $2 billion in crypto thefts in 2025, accounting for a significant share of total illicit activity in the space.
Bitrefill said operations have stabilized following the incident and expressed confidence in its recovery, noting that customer activity and sales volumes have returned to typical levels.
