Bitrefill, the crypto-native gift card and bill-pay platform, disclosed on March 17 that it was the target of a cyberattack on March 1, 2026. The company attributed the breach to North Korea's Lazarus Group based on malware signatures, on-chain tracing, and reused attacker infrastructure. Crypto wallets were drained, gift card inventory was exploited, and approximately 18,500 purchase records were partially exposed.
The disclosure came more than two weeks after the initial breach. Bitrefill first described the incident as a "technical issue," then upgraded it to a "security issue" before releasing a full incident report.
One Laptop, Full Infrastructure Access
The attack started with a compromised employee laptop. From that entry point, the attackers extracted a legacy credential tied to a snapshot containing production secrets. That single credential gave them escalating access across Bitrefill's infrastructure: database components, cryptocurrency hot wallets, gift card inventory systems, and supplier purchasing tools.
Bitrefill detected the intrusion when it spotted unusual purchasing patterns with certain suppliers. Gift card stock and supply lines were being exploited, with the attackers placing suspicious purchases through Bitrefill's vendor relationships.
The cryptocurrency wallets were emptied and funds transferred to attacker-controlled addresses. Bitrefill has not disclosed the total amount stolen but said it would absorb the losses through operational capital.
18,500 Records and 1,000 Encrypted Names
The data exposure affected approximately 18,500 purchase records containing email addresses, crypto payment addresses, and IP metadata. The attackers were not primarily hunting personal data, but the records were accessible alongside the financial targets.
An additional 1,000 records containing customer names were encrypted, but Bitrefill is treating them as potentially compromised since the attackers may have obtained the encryption keys. All affected users received direct email notification.
Bitrefill noted that it does not require mandatory KYC, and verification information is stored externally rather than in its own databases. That architectural decision likely limited the scope of the personal data exposure.
Lazarus Group Fingerprints
The attribution to Lazarus Group and its sub-unit Bluenoroff rests on several forensic indicators: the modus operandi matched known Lazarus playbooks, the malware signatures aligned with previous campaigns, on-chain transaction patterns followed familiar laundering routes, and the attackers reused IP addresses and email accounts linked to prior North Korean operations.
Lazarus Group has been responsible for some of the largest crypto thefts in history. The group was behind the $1.5 billion Bybit hack in February 2025, the $625 million Ronin Bridge exploit in 2022, and the $100 million Harmony Bridge theft the same year. The FBI and multiple blockchain analytics firms have attributed over $6 billion in crypto theft to North Korean state-sponsored hackers since 2017.
Bitrefill represents a different type of target. Unlike exchanges or bridges that hold billions in liquidity, Bitrefill is a payments and commerce platform. Its value to attackers lies in both the crypto held in hot wallets and the gift card inventory, which can be monetized through resale or direct use, making the proceeds harder to trace than on-chain transfers.
Gift Cards as a Laundering Vector
The exploitation of Bitrefill's gift card systems is notable because gift cards have long been a preferred cash-out method for cybercriminals. Unlike cryptocurrency, which leaves an on-chain trail, gift cards purchased and redeemed across retail networks are extremely difficult to claw back or trace.
The Lazarus Group's interest in Bitrefill's supplier infrastructure suggests the attackers understood this. By placing orders through Bitrefill's legitimate vendor relationships, they could convert stolen access into gift cards that function as anonymous, spendable value.
For crypto card users, the incident is a reminder that the security of the platforms handling your transactions matters as much as the custody model of the card itself. A custodial service with poor internal access controls can expose user data and funds regardless of how secure the underlying blockchain is.
Recovery and What Comes Next
Bitrefill says payments, stock, accounts, and sales are mostly back to normal, with transaction volumes returning to pre-incident levels. The company has taken several remediation steps: systems were taken offline during containment, internal access controls have been tightened, and external security reviews and penetration testing are ongoing. Enhanced logging, monitoring, and incident-response automation have been deployed.
The company did not specify whether any of the stolen cryptocurrency has been recovered. Given Lazarus Group's sophisticated laundering infrastructure, which typically involves chain-hopping through mixers and decentralized exchanges, recovery prospects for the crypto portion are likely slim.
Overview
Bitrefill disclosed a March 1, 2026 cyberattack attributed to North Korea's Lazarus Group. The breach originated from a compromised employee laptop and escalated through legacy credentials to drain crypto wallets, exploit gift card inventory, and expose 18,500 purchase records. The company has not disclosed the financial losses but says it will absorb them through operational capital. Operations have largely returned to normal. The incident adds Bitrefill to the growing list of crypto platforms targeted by state-sponsored North Korean hackers, and marks a shift toward targeting commerce and gift card infrastructure rather than just exchanges and bridges.
Recommended Reading
- Crypto Losses Dropped 87% in February, but Hackers Stopped Attacking Code and Started Attacking You
- Ledger Donjon Found a MediaTek Flaw That Lets Attackers Steal Seed Phrases From Android Phones in 45 Seconds
- Hackers Hijacked the BONK.fun Domain and Planted a Wallet Drainer on Solana Biggest Meme Launchpad
