Cryptocurrency payments platform Bitrefill said a cyberattack on March 1 compromised parts of its infrastructure, exposing roughly 18,500 purchase records and draining funds from several hot wallets.
The company attributed the breach to the Lazarus Group, a hacking organization widely linked to North Korea that has previously targeted major cryptocurrency platforms. Bitrefill said it has restored operations and will cover all financial losses using operational capital.
The attack exposed limited customer data, including email addresses, cryptocurrency payment addresses, and metadata such as IP addresses. About 1,000 of the affected records also contained encrypted usernames tied to certain purchases.
Bitrefill said it has already notified impacted users and currently believes the attackers were primarily focused on accessing funds and exploiting the company’s gift card inventory rather than stealing large amounts of customer data.
Attack Began with Compromised Employee Device
According to the company’s incident report, the breach began when an employee laptop was compromised, exposing legacy credentials that allowed attackers to gain access to parts of Bitrefill’s internal infrastructure.
Those credentials enabled the attackers to obtain production keys and move funds from several hot wallets. At the same time, suspicious activity appeared within the company’s supply chain as hackers attempted to exploit gift card purchasing systems.
The company detected unusual transaction patterns involving certain suppliers, which prompted an immediate shutdown of parts of its platform to prevent further losses.
“Bitrefill operates a global e-commerce business with dozens of suppliers, thousands of products and multiple payment methods across many countries,” the company said in a statement explaining the operational complexity of halting and restoring systems.
The Lazarus Group has been responsible for several of the largest cryptocurrency-related hacks in recent years, including attacks targeting the Ronin Network, Harmony’s Horizon Bridge, and other digital asset platforms.
Security Upgrades Follow Breach Investigation
Bitrefill said its investigation relied on collaboration with cybersecurity researchers, blockchain analysts, incident response teams and law enforcement authorities.
The company identified several technical indicators linking the attack to Lazarus Group activity, including malware patterns, reused IP addresses and on-chain fund movements consistent with previous campaigns attributed to the organization.
To reduce future risks, Bitrefill said it has already strengthened internal security protocols. The measures include tighter access controls, expanded logging and monitoring systems, comprehensive external penetration testing and improved incident response procedures.
The company also plans to refine automated shutdown mechanisms designed to isolate compromised systems more quickly.
Despite the breach, Bitrefill said its platform has largely returned to normal operations, with payments, inventory and account systems fully restored. The company added that sales volumes have already recovered to typical levels.
The incident marks the first major security breach for Bitrefill in more than a decade of operation, highlighting the ongoing cybersecurity risks facing cryptocurrency businesses as digital assets continue to attract sophisticated state-linked hacking groups.