The North Korean group is suspected to be behind the cyberattack that drained wallets and compromised 18,500 transactions on the Bitcoin e-commerce platform.
On March 1, Bitrefill was targeted by a cyberattack believed to be attributable to the Lazarus Group, a cybercriminal organization linked to the North Korean regime.
The breach began through a compromised employee laptop. From that device, the attackers were able to extract outdated credentials, which opened access to a snapshot containing sensitive production data. Once inside, the escalation was rapid.
Starting from the initial credentials, the group expanded its access across the entire corporate infrastructure, penetrating critical portions of the database and reaching operational wallets (hot wallets).
The first warning sign emerged from the analysis of purchasing patterns. The Bitrefill team detected suspicious anomalies in transactions involving certain suppliers: gift card inventory was being systematically exploited. At the same time, funds held in hot wallets were being drained and transferred to addresses controlled by the attackers.
Investigators identified multiple indicators pointing to the Lazarus/Bluenoroff Group, the DPRK’s operational arm in cyberspace. Bitrefill worked closely with cybersecurity experts, incident response specialists, blockchain analysts, and law enforcement to reconstruct the incident and close the vulnerabilities.
Compromised data
Approximately 18,500 purchase transactions were compromised during the breach. The exposed data included email addresses, digital asset payment addresses, and metadata such as users’ IP addresses.
For a subset of around 1,000 transactions – where the purchase of specific products required a name – this data was encrypted in the database. However, given that the attackers may have gained access to the decryption keys, Bitrefill is treating this information as potentially compromised. Affected customers have already been directly notified via email.
Post-attack security measures
The company has implemented a multi-layered cybersecurity reinforcement plan:
- comprehensive reviews with penetration testing conducted by multiple external experts;
- further tightening of internal access controls;
- enhanced logging and monitoring for faster anomaly detection;
- refinement and continuous testing of incident response and automatic shutdown procedures.
At this time, based on the available information, Bitrefill does not believe any specific action is required from customers. As a general precaution, the company recommends remaining vigilant toward unexpected communications mentioning Bitrefill or digital asset-related topics, which may represent potential phishing or social engineering attempts.
