On March 1, crypto e-commerce firm Bitrefill disclosed a security breach it says used tactics consistent with North Korea’s Lazarus Group. The company reported attackers deployed malware, performed on-chain tracing, and reused IP and email infrastructure to compromise an employee’s laptop.
The intruders drained funds from hot wallets and accessed roughly 18,500 purchase records, a dataset that may contain limited customer information. Bitrefill said investigators found no proof the full database was exfiltrated; instead, the attackers ran a narrow set of queries that appear focused on crypto and gift-card inventory, suggesting a financial motive. The company also flagged BlueNoroff — another DPRK-linked group closely associated with Lazarus — as a possible participant or the sole actor.
Bitrefill did not disclose the exact amount stolen and said it will absorb the losses from operational capital. The firm added that operations have largely resumed: payments, stock, and accounts are back in service, and sales volumes have returned to normal levels.
In response to the incident, Bitrefill notified law enforcement and retained multiple crypto-security firms, including Security Alliance, FearsOff Security, Recoveris.io, and zeroShadow. The company initially took systems offline to contain the intrusion and has since implemented a series of security improvements.
Measures reported include external security reviews and adoption of researcher recommendations, tightened internal access controls, and enhanced monitoring to speed detection and response. Bitrefill said these steps have significantly strengthened its cybersecurity posture.
The breach highlights the persistent threat state-linked and highly capable criminal groups pose to crypto businesses. Lazarus Group remains one of the sector’s most dangerous adversaries and was previously tied to a $1.4 billion theft from exchange Bybit in February 2025. Despite rising defenses industrywide, attackers continue to exploit vulnerabilities.