Lazarus Group Suspected in Bitrefill Cyberattack

Bitrefill suffered a cyberattack linked to the Lazarus Group, with significant data breaches and financial losses reported.

On March 1, the cryptocurrency online store Bitrefill was targeted by a cyberattack. The project team linked the incident to the North Korean group Lazarus Group (a subdivision of BlueNoroff).

March 1st incident report

On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation — including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) — we find many similarities…
— Bitrefill (@bitrefill) March 17, 2026

The platform representatives reported the attack on March 17. Experts found similarities with previous hacks by the attackers based on the malware used, methods of operation, on-chain traces, and IP addresses.

Attack Vector

The breach began with the compromise of an employee's laptop. Hackers stole old credentials that allowed them to access a snapshot of the system containing production data. This enabled the criminals to escalate privileges and gain access to infrastructure, including databases and cryptocurrency wallets.

The security team noticed suspicious activity involving gift cards and fund transfers from hot wallets to the hackers' addresses. Upon detecting the threat, all systems were shut down.

Data Leak

According to the investigation, the attackers viewed approximately 18,500 purchase records. The leak includes:

email addresses;
cryptocurrency addresses;
metadata, including IP addresses.

In about 1,000 cases, customers provided their names for the purchase of specific items. This information was stored in encrypted form, but the hackers could access the keys. Bitrefill considers this data compromised and has already notified affected users.

Verification data was not affected, as it is stored with an external provider and has no backups in the Bitrefill system.

The company stated it would cover financial losses from its operational capital. The service is now fully operational again.

Law enforcement and cybersecurity firms, including Security Alliance and zeroShadow, have been involved in the investigation. Bitrefill has strengthened security measures, implemented additional monitoring tools, and revised incident response procedures.

It is worth noting that in February, losses in the cryptocurrency market from hacks fell to a minimum in 11 months.