- Trending
- Comments
- Latest
Bitrefill, the Stockholm-based cryptocurrency gift card platform, suffered a breach on March 1 linked to North Korean-linked hackers from the Lazarus/Bluenoroff group, according to an incident report released March 17, 2026.
The attackers exploited a compromised employee laptop to access production credentials, drain cryptocurrency wallets, and access 18,500 customer purchase records before the company detected unusual purchasing patterns and shut down its systems.
“On March 1, 2026, Bitrefill was the target of a cyberattack,” the company said in its official report. Investigators noted similarities between the Bitrefill hack and previous operations linked to the Lazarus/Bluenoroff group, a cybercrime unit widely associated with North Korea, citing patterns in malware, infrastructure, and operational tactics.
The Bitrefill hack was detected after unusual purchasing behavior raised internal alarms, prompting further investigation into potential system compromise.
As the Bitrefill hack unfolded, attackers exploited vulnerabilities in the company’s supply chain and financial systems. The breach enabled unauthorized access to certain cryptocurrency wallets, resulting in the transfer of funds to attacker-controlled addresses.
The company reported that its gift card inventory and supplier systems were also manipulated during the Bitrefill hack, indicating a dual-layer attack targeting both financial assets and operational workflows.
“We first detected the incident after noticing suspicious purchasing patterns with certain suppliers,” Bitrefill stated. “At the same time we found some of our hot wallets being drained and funds transferred to attacker-controlled wallets.”
In response, Bitrefill immediately shut down its systems to contain the breach. Given the scale of its operations—spanning multiple countries, payment systems, and supplier networks—the shutdown process was complex and required careful coordination.
“Safely switching all these things off and bringing them back online is not trivial,” the company noted, emphasizing the operational challenges posed by the Bitrefill hack.
The firm has since restored most services, including payments, stock availability, and user accounts, with transaction volumes reportedly returning to normal levels.
Despite the severity of the Bitrefill hack, the company maintains that customer data was not the primary target. Internal investigations suggest that attackers conducted only limited database queries, likely aimed at identifying valuable assets rather than extracting large volumes of personal information.
Bitrefill stated that approximately 18,500 purchase records were accessed during the incident. These records included limited data such as email addresses, cryptocurrency payment addresses, and metadata like IP addresses.
“For approximately 1,000 purchases, specific products required customers to provide a name,” the company explained. “That information is encrypted in our database. However, since the attackers may have gotten access to the encryption keys, we are treating this data as potentially accessed.”
Affected customers have been directly notified via email. The company emphasized that it stores minimal personal data and does not require mandatory identity verification, as KYC processes are handled by external providers.
“At this time, based on the information currently available, we do not believe customers need to take specific action,” Bitrefill added, while advising users to remain cautious of suspicious communications.
In the aftermath of the Bitrefill hack, the company has initiated a series of security upgrades aimed at preventing similar incidents in the future. These measures include enhanced access controls, expanded monitoring systems, and comprehensive security audits conducted in collaboration with external experts.
Bitrefill confirmed it is working with cybersecurity firms and organizations such as ZeroShadow, SEAL Org, and Recoveris to investigate the breach and strengthen its defenses.
“Getting hit by a sophisticated attack sucks (a lot). We’ve been in business for over 10 years and it’s the first time we’ve been hit this hard. But we survived,” the company said, reflecting on the impact of the Bitrefill hack.
The firm added that it remains financially stable and will absorb the losses from its operational capital, signaling resilience despite the scale of the incident.
The Bitrefill hack is not an isolated event but part of a broader pattern of disruptions across the crypto industry in recent weeks. Notably, the collapse of BlockFills has drawn attention to systemic risks beyond direct exploits, after the firm filed for Chapter 11 bankruptcy with liabilities estimated between $100 million and $500 million following halted withdrawals and legal disputes
Copyright © 2025 - The Bit Gazette.
