In brief

  • Bitrefill was hit by a March 1 cyberattack that escalated from a compromised laptop to database and wallet access, with evidence pointing to North Korean hacking groups Lazarus and Bluenoroff.
  • About 18,500 purchase records were partially exposed; no full database exfiltration occurred, and affected users were notified directly.
  • Most operations have been restored, losses will be covered by operational capital, and Bitrefill is tightening security measures going forward.

Bitrefill, a platform that lets users exchange cryptocurrency for gift cards and phone service credit, disclosed Tuesday that it was targeted in a March 1 cyberattack.

According to the firm, it began with a compromised employee laptop, then expanded into broader infrastructure after attackers exfiltrated a legacy credential tied to a snapshot containing production secrets.

In an incident report posted to X, the company said the attackers moved from initial access into parts of its database and certain cryptocurrency wallets, while also exploiting gift card inventory and supplier purchasing lines. Bitrefill said it detected the breach after spotting suspicious supplier purchasing patterns. Once confirmed, it took all systems offline as part of containment.

The company had previously disclosed on March 1 that it was dealing with a “technical issue” and then later a “security issue,” at which point it took down all services. Tuesday was the first time that Bitrefill provided full details on the attack and potential instigators.

The company said its investigation found multiple indicators that it described as similar to prior industry attacks from the North Korean state-sponsored hacking groups Lazarus and Bluenoroff, including malware patterns, on-chain tracing, and reused infrastructure. Bitrefill said it has been working with incident responders, on-chain analysts, and law enforcement as the investigation continues.

On customer impact, Bitrefill said logs show no evidence of full database exfiltration, but a subset of records was accessed. The company said approximately 18,500 purchase records were affected, including limited fields such as email addresses, crypto payment addresses, and metadata including IP addresses.

For roughly 1,000 purchases requiring customer names, Bitrefill said those fields were encrypted but is treating them as potentially accessed because attackers may have obtained relevant keys. The company said users in that subset were notified directly by email.

Bitrefill said it does not require mandatory KYC and stores verification information with an external provider, rather than in internal backups. Based on current findings, the company said it does not believe customers need to take specific action, while advising caution around unexpected Bitrefill- or crypto-related communications.

The company said most operations are now back to normal, including payments, stock, and accounts, and that losses will be absorbed through operational capital. Bitrefill also said it is continuing external security reviews and penetration testing, tightening internal access controls, and upgrading logging, monitoring, and incident-response automation.

North Korean hacking groups have been tied by authorities to many prominent crypto industry heists, including last year’s $1.4 billion Bybit exchange hack, and 2022’s $622 million hack of the Ronin gaming network tied to crypto game Axie Infinity. Last year, hackers linked to North Korea swiped over $2 billion worth of crypto, per a report from Chainalysis.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.