Crypto e-commerce platform Bitrefill disclosed it was breached on March 1, saying the attack used tactics consistent with North Korea’s Lazarus Group. In a post on X, the company reported attackers deployed malware, performed on-chain tracing and reused IP and email infrastructure to compromise an employee’s laptop. The intruders drained funds from hot wallets and accessed about 18,500 purchase records, potentially exposing limited customer information.
Bitrefill noted that BlueNoroff, another DPRK-linked cybercrime group closely associated with Lazarus, may have been involved or could be the sole actor. The company said there is no evidence the attackers extracted the full database, only that they ran a limited set of queries consistent with probing for crypto and gift-card inventory, indicating a financial motive.
While Bitrefill has not disclosed the amount stolen, it said it will absorb the losses from operational capital. The firm reported that “almost everything is back to normal: payments, stock, accounts,” and that sales volumes have returned to their usual levels.
In response, Bitrefill contacted law enforcement and engaged crypto-security firms including Security Alliance, FearsOff Security, Recoveris.io and zeroShadow. The company initially took systems offline to contain the incident and said it has since “significantly improved” cybersecurity practices. Measures implemented include external security reviews and adoption of researcher recommendations, tighter internal access controls, and enhanced monitoring for faster detection and response.
The breach underscores ongoing threats to crypto firms from sophisticated state-linked groups. Lazarus Group remains one of the crypto sector’s most dangerous adversaries and was previously tied to the $1.4 billion theft from exchange Bybit in February 2025. Despite heightened defenses across the industry, attackers continue to find ways to exploit vulnerabilities.
