Crypto payments platform Bitrefill has disclosed details of a sophisticated cyberattack that targeted its infrastructure earlier this month, with indicators pointing to links with North Korea’s notorious Lazarus Group.
According to a statement shared on March 17, the breach occurred on March 1, 2026, after attackers gained initial access through a compromised employee’s laptop
March 1st incident reportOn March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation – including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) – we find many similarities…
— Bitrefill (@bitrefill) March 17, 2026
A legacy credential was reportedly exfiltrated, allowing unauthorized access to a snapshot containing production secrets. This enabled the attackers to escalate privileges and infiltrate broader systems, including parts of the company’s database and certain cryptocurrency wallets.
The incident was first detected when Bitrefill noticed unusual purchasing patterns involving suppliers, alongside the draining of funds from some hot wallets. The attackers also exploited gift card inventory and supply lines
In response, the company immediately took its systems offline to contain the breach, temporarily disrupting its global operations.
Bitrefill confirmed that around 18,500 purchase records were accessed during the incident. The exposed data includes limited customer information such as email addresses, crypto wallet addresses, and metadata like IP addresses
Additionally, approximately 1,000 transactions involving products that required customer names may have been compromised, although this data was encrypted. The company has already notified affected users directly.
Despite the breach, Bitrefill stated there is no evidence that its full database was extracted or that customer data was the primary target. The company emphasized that it stores minimal personal data and relies on external providers for Know Your Customer (KYC) verification.
Following the attack, Bitrefill has been working with cybersecurity experts, on-chain analysts, and law enforcement agencies to investigate the incident and strengthen its defenses
The firm has since enhanced access controls, improved monitoring systems, and conducted extensive security reviews.
While the attack resulted in financial losses, Bitrefill said it remains profitable and will absorb the impact using operational capital. Most services have now been restored, with transaction volumes returning to normal levels.
Your web3 identity + services + payments in one single link. Get your pay3.so link today.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
