Crypto commerce platform Bitrefill has confirmed it suffered a significant cybersecurity breach on March 1, 2026, with attack patterns closely resembling operations attributed to the Lazarus Group and its affiliate BlueNoroff.

The company detailed the incident in a March 17 statement on X, outlining how attackers infiltrated its systems, accessed internal data, and drained funds from hot wallets. The breach is the most serious security event in Bitrefill’s more than decade-long operating history.

Compromised device opened path to infrastructure access

The intrusion began with a compromised employee laptop. According to Bitrefill, attackers extracted a legacy credential from that device. This credential granted access to a snapshot that contained production secrets. The attackers then escalated privileges and moved laterally across infrastructure systems.

The attackers reached parts of its database and certain cryptocurrency wallets. The firm pointed to multiple indicators that matched known tactics. These included malware signatures, reused IP and email infrastructure, and on-chain tracing patterns.

“We find many similarities between this attack and past cyberattacks by the DPRK Lazarus / Bluenoroff group against other companies in the crypto industries,” the company stated.

Suspicious supplier activity exposed the breach

Bitrefill first detected the incident through irregular purchasing behavior linked to suppliers. Internal monitoring revealed that gift card inventory and supply channels faced exploitation.

At the same time, Bitrefill identified unauthorized transfers from its hot wallets to attacker-controlled addresses. Once the breach became clear, the firm initiated a full shutdown of its systems as part of its containment strategy.

Bitrefill operates across multiple countries with numerous suppliers and payment methods. The firm noted that shutting down and restoring such a distributed system required careful coordination.

Limited data access confirmed, no full database extraction

The attackers accessed approximately 18,500 purchase records. These records contained limited customer information, such as email addresses, crypto payment addresses, and metadata including IP addresses.

Bitrefill stated there is no evidence of full database extraction. Instead, logs show a limited number of queries that suggest probing activity.

“There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal, including cryptocurrency and Bitrefill gift card inventory.”

For about 1,000 purchases, customer names were included. Bitrefill encrypts this data. However, since attackers may have accessed encryption keys, the company treats this subset as potentially exposed. Affected users have already received direct notifications.

Bitrefill highlighted that it stores minimal personal data by design. The platform does not require mandatory KYC. Verified user data remains with external providers rather than internal systems.

Financial losses absorbed as operations stabilize

Bitrefill did not disclose the exact amount of stolen funds. They confirmed it will absorb all losses using operational capital.

“Almost everything is back to normal: payments, stock, accounts,” Bitrefill said. “Sales volumes are also back to normal, and we are eternally thankful to our customers for your continued confidence in us.”

The firm described the attack as financially motivated. It found no indication that customer data served as the primary target.

External experts and law enforcement join response

Following the incident, Bitrefill engaged multiple cybersecurity firms and organizations, including zeroShadow, SEAL, Recoveris, and FearsOff. The company also contacted law enforcement authorities.

These teams assisted in forensic analysis, incident response, and recovery efforts. Bitrefill credited their rapid involvement as critical to containment and system restoration.

Security measures tightened after incident

The Bitrefill has implemented several security upgrades since the breach. These include expanded penetration testing, stricter internal access controls, and improved monitoring systems for faster detection.

Bitrefill also refined its incident response procedures and automated shutdown mechanisms. The company stated that it will continue to apply lessons from the attack to strengthen defenses.

“We have already significantly improved our cybersecurity practices, but vow to continue to draw learnings from this experience to make sure user and company balances and data remain maximally safe.”

Lazarus-linked tactics remain persistent threat

The attack adds to a series of high-profile incidents tied to Lazarus-linked operations in the crypto sector. The group has previously targeted exchanges and platforms with large-scale thefts, including a $1.5 billion breach at Bybit in 2025, as HodlFM reported.

Bitrefill’s case reflects continued pressure on crypto infrastructure despite stronger security standards across the industry. Attackers relied on credential compromise and internal access rather than direct external exploits.

Bitrefill described the event as a major operational challenge but confirmed business continuity.

“Getting hit by a sophisticated attack sucks (a lot). We’ve been in business for over 10 years and it’s the first time we’ve been hit this hard. But we survived.”

The platform remains operational, financially stable, and focused on rebuilding trust after the breach.

The Largest Cryptocurrency Hacks of All Time | HODL FM NEWS
Crypto’s biggest hacks ever! From Mt. Gox to Ronin, here’s how billions vanished in DeFi’s most infamous security breaches.
hodl-post-imageHODL FM News: The Wildest Ride in the Crypto MarketHODL Team
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.