Cryptocurrency payments and gift card platform Bitrefill has resumed operations after a cyberattack on March 1, 2026, exposed parts of its infrastructure and cryptocurrency wallets.
The company has attributed the breach to the North Korea-linked Lazarus Group following an internal investigation.
Attackers gained access to production keys, drained funds from hot wallets, and accessed a limited set of customer purchase records.
Bitrefill said it will cover all losses using operational capital.
While services have returned to normal, the incident highlights risks facing crypto platforms and the sophistication of state-linked hacking groups.
How the breach began
The attack originated from a compromised employee’s laptop that exposed legacy credentials.
This allowed attackers to move across Bitrefill’s systems and gain access to infrastructure, including databases and cryptocurrency wallets.
The breach became visible when the company detected unusual purchasing behaviour among suppliers.
Attackers were exploiting gift card inventory while transferring funds out of hot wallets.
Bitrefill responded by taking systems offline to contain the incident.
The company later confirmed that attackers used malware, on-chain tracing, and reused IP and email patterns.
These methods matched tactics associated with the Lazarus Group, also known as Bluenoroff.
Links to past crypto attacks
The Lazarus Group has been linked to several breaches in the cryptocurrency sector.
Previous incidents have targeted platforms such as Ronin Network, Harmony’s Horizon Bridge, WazirX, and Atomic Wallet.
Bitrefill said the techniques used in this attack showed similarities to earlier cases.
These include gaining access through compromised credentials, targeting hot wallets, and moving funds through blockchain networks.
A detailed account of the incident was shared by the company on X, outlining how attackers combined cyber intrusion methods with blockchain-based fund movements.
Customer data exposure
The breach involved access to around 18,500 purchase records.
These records included email addresses, cryptocurrency payment addresses, and metadata such as IP addresses.
Approximately 1,000 records also contained encrypted usernames linked to purchases.
Bitrefill said it is treating this subset as potentially compromised and has contacted affected users.
The company stated there is no evidence that customer data was the primary target.
Internal logs showed attackers ran a limited number of queries focused on cryptocurrency balances and gift card inventory rather than extracting the full database.
Bitrefill also noted that it stores minimal personal information and does not require mandatory KYC, which may have reduced the scale of exposure.
Users have been advised to remain cautious about unexpected communications.
Recovery and security measures
Bitrefill said most systems, including payments, stock, and accounts, are now back online, with transaction volumes returning to normal.
The company confirmed that it remains profitable and capable of absorbing the financial impact of the breach.
In response, it has introduced security upgrades.
These include external penetration testing, stricter access controls, improved logging and monitoring, and updated incident response procedures.
The company is continuing to work with security researchers, incident response teams, on-chain analysts, and law enforcement as part of the investigation.
Bitrefill described this as its first major security incident in more than a decade of operations and said it has taken steps to strengthen its defences following the attack.
The post Bitrefill hack linked to Lazarus: what it reveals about crypto risks appeared first on Invezz
