On March 18, the crypto e-commerce platform Bitrefill released an incident report stating that the company suffered a cyberattack on March 1, 2026. The investigation found that the attack methods, malware, and on-chain fund flows were highly similar to past attacks against the crypto industry by the North Korean hacker group Lazarus Group / Bluenoroff.
Bitrefill stated that the attack originated from a compromised employee laptop. The hackers stole old credentials to gain access to the system and obtained a snapshot containing the production key. They then expanded their privileges to access parts of the database and encrypted wallets, and transferred funds from the hot wallet.
After discovering abnormal gift card purchases and inventory misuse, the company confirmed the intrusion and immediately shut down all systems for emergency response. Regarding the data, Bitrefill stated that the attackers accessed approximately 18,500 purchase records, involving information such as email addresses, encrypted payment addresses, and IP addresses; among these, approximately 1,000 orders contained encrypted name information, and the affected users have been notified.
The company stated that there is currently no evidence that the complete database has been stolen, and believes that customers do not need to take any additional action. However, it advises caution regarding any unusual communications impersonating Bitrefill or related to crypto assets. The platform stated that it will continue to strengthen its security auditing, access control, and monitoring systems to prevent similar incidents from recurring.
