Bitrefill attributes laptop breach and fund theft to Lazarus Group hackers
The company has chosen not to disclose the total amount stolen during the March 1 breach but confirmed it will cover all losses through its operating reserves.
Digital currency e-commerce platform Bitrefill has disclosed that it fell victim to a sophisticated cybersecurity breach on March 1, utilizing attack patterns that bear striking similarities to operations conducted by the Lazarus Group, the infamous hacking collective operating out of North Korea.
Through a statement published on X this Tuesday, Bitrefill detailed how the attackers deployed malware alongside on-chain tracing techniques and recycled IP addresses and email infrastructure to infiltrate an employee's laptop, which allowed them to siphon cryptocurrency from the platform's hot wallets and gain access to 18,500 transaction records, potentially exposing "limited customer information."
According to Bitrefill, the BlueNoroff Group, a separate North Korean hacking entity with documented connections to the Lazarus Group, could have participated in the attack or potentially carried it out independently.
The platform, which allows users to purchase real-world goods and gift cards using cryptocurrency, indicated that no indication exists showing the hackers successfully extracted its complete database, pointing to a financially-driven objective behind the attack.
"There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal, including cryptocurrency and Bitrefill gift card inventory."
Although Bitrefill refrained from revealing the exact amount of cryptocurrency stolen during the incident, the organization confirmed it "will absorb" these financial losses utilizing its operational capital.
"Almost everything is back to normal: payments, stock, accounts," Bitrefill said, adding: "Sales volumes are also back to normal, and we are eternally thankful to our customers for your continued confidence in us."
Even though numerous cryptocurrency platforms have bolstered their security infrastructure over recent years, highly skilled threat actors have persistently discovered methods to penetrate their protective measures.
The Lazarus Group continues to represent the cryptocurrency sector's most dangerous adversary and orchestrated the biggest heist in cryptocurrency history, successfully stealing $1.4 billion from digital asset exchange Bybit in February 2025.
Bitrefill has upped its security measures
Bitrefill reported that it reached out to law enforcement authorities and collaborated with cryptocurrency security companies Security Alliance, FearsOff Security, Recoveris.io and zeroShadow to manage the cybersecurity breach. Among its immediate actions was taking its systems offline to prevent the attack from spreading further.
According to Bitrefill, the company has already made "significant improvements" to its cybersecurity protocols following the incident.
These enhanced security measures encompass conducting comprehensive cybersecurity audits alongside security researchers and executing their suggested improvements, strengthening internal access control mechanisms and upgrading monitoring systems to enable quicker threat detection and incident response.