Lazarus Group Suspected in Bitrefill Cyberattack

Bitrefill faced a cyberattack linked to Lazarus Group on March 1.

On March 1, the cryptocurrency online store Bitrefill experienced a cyberattack. The project team linked the incident to the North Korean group Lazarus Group (a division of BlueNoroff).

March 1st incident report

On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation — including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) — we find many similarities…

— Bitrefill (@bitrefill) March 17, 2026

Representatives of the platform reported the attack on March 17. Experts found similarities with previous breaches by the perpetrators in terms of the malware used, methods of operation, on-chain traces, and IP addresses.

Attack Vector

The breach began with the compromise of an employee’s laptop. Hackers stole old credentials, which allowed them to access a “snapshot” of the system with production data. This enabled the fraudsters to escalate privileges and gain access to the infrastructure, including databases and cryptocurrency wallets.

The security team noticed suspicious operations with gift cards and the withdrawal of funds from hot wallets to the hackers’ addresses. After detecting the threat, all systems were shut down.

Data Breach

According to the investigation, the attackers viewed approximately 18,500 purchase records. The leak includes:

• email addresses;
• cryptocurrency addresses;
• metadata, including IP addresses.

In about 1,000 cases, customers provided their names for purchasing specific goods. This information was stored in encrypted form, but the hackers may have obtained the keys. Bitrefill considers this data compromised and has already notified affected users.

Verification data was not affected, as it is stored with an external provider and not backed up in the Bitrefill system.

The company stated it would cover financial losses from its own operating capital. The service is now fully restored.

Law enforcement and cybersecurity firms, including Security Alliance and zeroShadow, have been involved in the investigation. Bitrefill has strengthened security measures, implemented additional monitoring tools, and revised incident response procedures.

Earlier in February, losses from crypto market hacks dropped to an 11-month low.