Bitrefill, the popular platform that lets users buy gift cards and prepaid phone credit with cryptocurrency, has revealed it was the victim of a sophisticated cyberattack on March 1, 2026 — and says the tactics point to North Korea–linked hacker groups.
What happened
- The breach began with a compromised employee laptop and escalated after attackers exfiltrated a legacy credential contained in a snapshot that included production secrets. That credential let the intruders move laterally into parts of Bitrefill’s infrastructure.
- Attackers accessed sections of the company’s database, certain cryptocurrency wallets, and exploited gift-card inventory and supplier purchase channels. Bitrefill says it detected the activity after spotting unusual supplier purchasing patterns and immediately took all systems offline to contain the incident.
- The company first flagged a “technical issue” on March 1, then confirmed a “security issue” and pulled services. On March 17 Bitrefill published a fuller incident report and noted multiple indicators linking the attack to tactics seen in prior Lazarus/Bluenoroff operations — including malware signatures, on-chain tracing, and reused IP and email infrastructure.
Customer impact and response
- Bitrefill’s logs show no evidence of a full database dump, but a subset of records was accessed. About 18,500 purchase records were affected, with exposed fields including email addresses, crypto payment addresses, and metadata such as IP addresses.
- Roughly 1,000 records that required customer names were encrypted in storage, but Bitrefill is treating those as potentially compromised because attackers may have obtained the relevant decryption keys. Affected users have been notified directly by email.
- The company does not require mandatory KYC and says verification info is held with an external provider rather than in internal backups.
- Bitrefill advises customers that, based on current findings, no specific action is required but to remain vigilant for unexpected Bitrefill- or crypto-related communications.
Where things stand now
- Most operations — including payments, inventory, and accounts — have been restored. Bitrefill says any financial losses will be covered by operational capital.
- The company is continuing work with incident responders, on-chain analysts, and law enforcement; it’s also running external security reviews and penetration tests, tightening internal access controls, and upgrading logging, monitoring, and automated incident response.
Bigger picture
- Bitrefill’s attribution to Lazarus/Bluenoroff echoes a string of high-profile crypto heists tied to North Korean actors, such as last year’s reported $1.4 billion Bybit exchange breach and the $622 million Ronin (Axie Infinity) exploit in 2022. Chainalysis reported that hackers linked to North Korea stole more than $2 billion in crypto last year alone.
- The incident underscores ongoing risks for crypto-native services that bridge on-chain value with off-chain goods and suppliers, and the importance of robust credential hygiene, monitoring, and supplier fraud detection.
Bitrefill says it will continue sharing updates as the investigation progresses.
Read more AI-generated news on: undefined/news
