Bitrefill Hit by Suspected Lazarus Group Cyberattack, Exposing Customer Data and Draining Funds
Earlier this month, crypto e-commerce platform Bitrefill suffered a cyberattack believed to be linked to North Korea’s Lazarus Group, following patterns observed in previous digital asset sector breaches. The attack began with a compromised employee laptop, granting attackers access to internal systems, including portions of Bitrefill’s database and cryptocurrency wallets. Unauthorized transactions drained funds from hot wallets, and illicit purchases were made through vendor channels, though the exact financial loss remains undisclosed.
The breach disrupted operations, prompting Bitrefill to take services offline before containing the incident. Investigators identified strong similarities to past Lazarus operations, including malware, infrastructure, and behavioral tactics. While the attackers accessed approximately 18,500 purchase records containing email addresses, crypto payment details, and IP metadata only around 1,000 records posed a higher risk due to potential exposure of encrypted customer names. Bitrefill has notified affected users in the higher-risk category.
The company clarified that most purchases do not require identity verification, limiting the amount of sensitive personal data stored internally. For transactions that do, verification data is handled externally, further reducing exposure. Bitrefill stated there is no evidence the attackers extracted its entire database, only running limited queries to assess potential theft.
Lazarus Group’s suspected involvement underscores its role as a persistent threat to the crypto industry, with North Korea-linked actors responsible for over $2 billion in crypto theft in a single year. These attacks often exploit social engineering, compromised insiders, or infected endpoints rather than direct technical vulnerabilities. In Bitrefill’s case, the initial breach aligns with known Lazarus tactics, leveraging employee access to move laterally across systems.
Bitrefill has since restored most operations, including payments, inventory, and user accounts, and will cover financial losses from its own capital. The incident highlights the growing risk of operational exposure in crypto security, where human access points and internal systems increasingly serve as primary attack vectors.
Source: https://financefeeds.com/bitrefill-hit-by-cyberattack-linked-to-north-koreas-lazarus-group/
Bitrefill cybersecurity rating report: https://www.rankiteo.com/company/bitrefill
"id": "BIT1773771997",
"linkid": "bitrefill",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '~1,000 (higher-risk category)',
'industry': 'Cryptocurrency, E-commerce',
'name': 'Bitrefill',
'type': 'Crypto E-commerce Platform'}],
'attack_vector': 'Compromised employee laptop, Social Engineering, Lateral '
'Movement',
'customer_advisories': 'Notified ~1,000 users in higher-risk category',
'data_breach': {'data_encryption': 'Encrypted customer names (exposed in '
'~1,000 records)',
'data_exfiltration': 'Limited queries to assess potential '
'theft (no evidence of full database '
'extraction)',
'number_of_records_exposed': '18,500 (total); ~1,000 '
'(higher-risk)',
'personally_identifiable_information': 'Encrypted customer '
'names (limited '
'exposure)',
'sensitivity_of_data': 'Moderate (limited PII exposure)',
'type_of_data_compromised': ['Email addresses',
'Crypto payment details',
'IP metadata',
'Encrypted customer names']},
'description': 'Crypto e-commerce platform Bitrefill suffered a cyberattack '
'believed to be linked to North Korea’s Lazarus Group, '
'resulting in the exposure of customer data and unauthorized '
'draining of funds. The attack began with a compromised '
'employee laptop, granting attackers access to internal '
'systems, including portions of Bitrefill’s database and '
'cryptocurrency wallets. Unauthorized transactions drained '
'funds from hot wallets, and illicit purchases were made '
'through vendor channels.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data exposure and financial theft',
'data_compromised': '18,500 purchase records (email addresses, '
'crypto payment details, IP metadata); ~1,000 '
'records with encrypted customer names',
'downtime': 'Services taken offline during containment',
'financial_loss': 'Undisclosed (funds drained from hot wallets, '
'illicit purchases)',
'identity_theft_risk': 'Limited (most purchases do not require '
'identity verification)',
'operational_impact': 'Disrupted operations, temporary service '
'unavailability',
'payment_information_risk': 'High (crypto payment details exposed)',
'systems_affected': 'Internal databases, Cryptocurrency wallets, '
'Vendor channels'},
'initial_access_broker': {'entry_point': 'Compromised employee laptop',
'high_value_targets': 'Cryptocurrency wallets, '
'Vendor channels'},
'investigation_status': 'Ongoing (strong similarities to past Lazarus '
'operations identified)',
'lessons_learned': 'Growing risk of operational exposure in crypto security, '
'where human access points and internal systems '
'increasingly serve as primary attack vectors. Importance '
'of securing employee endpoints and limiting lateral '
'movement.',
'motivation': 'Financial gain, Cryptocurrency theft',
'post_incident_analysis': {'corrective_actions': 'Restored operations, '
'Covered financial losses, '
'Enhanced security measures '
'(unspecified)',
'root_causes': 'Compromised employee endpoint, '
'Social engineering, Lateral '
'movement across systems'},
'ransomware': {'data_exfiltration': 'Suspected (limited queries)'},
'recommendations': 'Enhance employee security training, Implement stricter '
'access controls, Monitor for lateral movement, Segment '
'critical systems, Reduce storage of sensitive data '
'internally',
'references': [{'source': 'Cyber Incident Report'}],
'response': {'communication_strategy': 'Notified affected users in '
'higher-risk category',
'containment_measures': 'Services taken offline, Attack '
'contained',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Systems restored, Enhanced security '
'measures (unspecified)',
'remediation_measures': 'Restored operations (payments, '
'inventory, user accounts), Covered '
'financial losses from own capital'},
'threat_actor': 'Lazarus Group (Suspected)',
'title': 'Bitrefill Hit by Suspected Lazarus Group Cyberattack',
'type': 'Data Breach, Financial Theft, Ransomware (Suspected)',
'vulnerability_exploited': 'Human access points, Infected endpoints'}