Crypto platform Bitrefill, one of the world's largest gift card services supporting cryptocurrency payments, has confirmed a major cyberattack that occurred on March 1, 2026. The company attributed the breach to the North Korean hacking group Lazarus Group (also known as Bluenoroff). The attackers gained access to the platform's hot crypto wallets and compromised over 18,500 customer purchase records.
What is Bitrefill and why it became a target
Bitrefill is a global e-commerce platform that allows users to spend Bitcoin and other cryptocurrencies on gift cards, mobile top-ups, and services at thousands of stores worldwide. The platform works with dozens of suppliers and processes thousands of transactions daily.
The combination of hot crypto wallets holding liquid funds and a complex gift card supply chain made Bitrefill an attractive target. Unlike exchanges, where primary assets are kept in cold storage, gift card platforms require constant access to liquidity for instant order fulfillment.
Timeline and attack mechanism
The breach began with the compromise of an employee laptop, which exposed legacy credentials that still had access to the production infrastructure. This allowed hackers to reach production keys and gain control over portions of the platform's systems.
Bitrefill detected the anomaly when it noticed unusual purchasing patterns among gift card suppliers. The attackers exploited the gift card supply chain, redirecting funds and orders to external addresses. Additionally, hackers accessed the platform's hot crypto wallets and transferred funds out before the company could block access.
Upon discovering the intrusion, Bitrefill immediately took affected systems offline to contain the threat. The company engaged independent cybersecurity researchers and notified law enforcement to conduct an investigation.
Scope of the data breach
The compromised data includes user email addresses, cryptocurrency payment addresses, and metadata such as IP addresses. In approximately one thousand cases, encrypted usernames may have been exposed. The company emphasized that personal data was not the primary target — server log analysis showed that hackers focused on cryptocurrency reserves and gift card inventory.
Bitrefill did not disclose the specific amount of stolen funds but confirmed its commitment to covering all losses from operational capital. The platform's sales volumes have already returned to normal levels, and most systems — including payments, inventory, and accounts — have been fully restored.
Why Lazarus Group is suspected
Bitrefill attributed the attack to the Lazarus Group based on comprehensive analysis: characteristic malware signatures, on-chain tracing of stolen fund movements, and IP addresses and email accounts previously linked to the group's operations.
The Lazarus Group is a cyber warfare unit linked to the North Korean government. According to blockchain analysts, the group is responsible for stealing at least $6.75 billion in cryptocurrency throughout its history. Among Lazarus's most notable operations:
- Bybit ($1.5 billion): in February 2026, hackers drained Ethereum from the exchange's hot wallets, executing the largest crypto theft in history
- Ronin Network ($625 million): breach of the Axie Infinity ecosystem sidechain in 2022
- Harmony Horizon Bridge ($100 million): cross-chain bridge attack in 2022
- WazirX and Atomic Wallet: theft of funds from an Indian exchange and a popular desktop wallet
Security measures after the incident
Bitrefill implemented a comprehensive security enhancement program following the attack. The company conducted a series of penetration tests, significantly strengthened access controls to critical infrastructure, and expanded monitoring and logging systems. All legacy credentials were revoked and replaced with new ones featuring stricter complexity requirements.
Bitrefill's leadership acknowledged the severity of the incident but emphasized the company's resilience, stating that getting hit by a sophisticated attack is extremely painful, but the company survived. The platform confirmed that all customers whose data was compromised will receive appropriate notifications with security recommendations.
Implications for the crypto industry
The Bitrefill breach, occurring just one week after the record-breaking Bybit attack, demonstrates the growing threat from state-sponsored hacking groups to the entire crypto infrastructure. Targets now extend beyond exchanges to adjacent services — payment platforms, bridges, wallets, and e-commerce solutions.
The recent Venus Protocol exploit worth $3.7 million through price manipulation and the Bitrefill attack within a single month highlight the diversity of threats — from smart contract vulnerabilities to social engineering and employee compromise. Experts recommend that crypto companies minimize funds held in hot wallets, implement hardware authentication keys, and regularly rotate credentials for critical system access.
Comments
Your email address will not be published. Required fields are marked *